354300x80000000000000001550202Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:30.855{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61669-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550201Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:37.923{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDFDDEDE293D7011A6B758CDBAA9750,SHA256=5D277F0F60E4EFB938BF05ADCCE41184C81C32F9CE769690B5C7684D8580BF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550200Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:37.453{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EE9D1F965B1DEDD48483E3A89CC98EE,SHA256=96402460B711A00D011B7B6F9DCB47475B66527EAE03EC05DB5E8E49420B88AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:37.005{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:37.005{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EC8ED135DF6C6FE365D0835EF06E24,SHA256=10DF70FCD1BE42B3CE2BD0BE96CA5D04FAC8DA3FB3109999DF5A0EC73BC17EA9falsetrue 23542300x80000000000000001550203Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:38.941{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5E68C1008A79C65ABB9131817E4D37,SHA256=5A8F26A9DB413B2B9E5EE6CB5081543B88AF56C3B47F3BD0FE8870762FFE21D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:38.427{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:38.427{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C38AC24D298FE988E8333E0525061FD3,SHA256=67DF32347D7A1D66DC522277C3CA07AF6400D0C25BECEF645FBD662C68CF9D43falsetrue 11241100x80000000000000005493192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:38.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:38.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95ED89C7BD5C6EE620B64008FFD01A4C,SHA256=14B54D701800D39F21E084C28AC31795C9D3374E176C6925307388617055F9A3falsetrue 23542300x80000000000000001550204Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:39.943{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638A75A5E8C5E926AF0CB88292B4B173,SHA256=067BECCE1FEF51AF2D011A73B737855C6BBE74AE7503423B05C6D401199C642B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:39.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:39.193{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=555F44BAAF5DE1100BB6CFBDCF007059,SHA256=E10E82FFB5F502282240CB3E8C6119861EC3DE5E4DD60D0ACE2B3B384AF574ABfalsetrue 11241100x80000000000000005493196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:39.052{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:39.052{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0638AF7FF9BBB0D3EDB64F642261B287,SHA256=2E0D749E0D666CAF3F58CFFA6A83C6CD5D5514FF0457941977246218BE8DF03Afalsetrue 23542300x80000000000000001550205Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:40.961{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B7800E42A2518060EEA40ABA117A70,SHA256=4D03B9B897D56387BA94D6FD214FD5F96C2E4120D5C265467773324993CE8B9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:40.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:40.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D065A6FCD07E50055C379E8162A295,SHA256=631F38130D80ADC65E85E23AE769A4C23769BC6C0959C0E9AC0F59FEC1930CA3falsetrue 11241100x80000000000000005493202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:40.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:40.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A69FFE465A72A0693E87D495B44545B,SHA256=D5AD8E6D8FEAB8A449A093330F4D7D78C1E6E884E870A254CD7F9A3CF5A148C7falsetrue 11241100x80000000000000005493200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:40.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:40.036{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56FC3FDA237B3826B6E93C74C9D4BE67,SHA256=9FE1AC5B3306252477798947E8F50BB6748D3223A3024456FE5D08F507662227falsetrue 23542300x80000000000000001550214Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:41.963{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32224CE54FFD1D6089227EE7E2DEB546,SHA256=A176251E99746A550BC30649D61BECF218AF0314A1A0A04D348BD2E947B52B1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:41.240{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:41.240{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BC184E6236A25895DD759BF2A51888,SHA256=CED132B7BD4D6FEF2EA8F3196FAA8D1CAF98B1CD47BB7EC12E1A13F3287EB6A2falsetrue 10341000x80000000000000001550213Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:41.462{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-10C9-6139-88D0-00000000F101}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550212Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:41.462{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550211Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:41.462{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550210Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:41.462{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550209Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:41.462{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550208Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:41.462{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-10C9-6139-88D0-00000000F101}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550207Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:41.462{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-10C9-6139-88D0-00000000F101}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550206Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:41.447{AEE49BD1-10C9-6139-88D0-00000000F101}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000005493205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:26.517{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49724-false10.0.1.12-8000- 23542300x80000000000000001550216Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:42.981{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3395FDA283C111E82FDDE50913FCF2CC,SHA256=F0BE320344C50F4BF2886A380CAB01499BEC7571B178BF09B8B3155A714E96E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:42.255{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:42.255{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86BB384317099302786C14688AEBB60,SHA256=36C147E6C300CA73F6509301C7BBFC855187A1A2D1175B371A4B26D6439A2CBDfalsetrue 23542300x80000000000000001550215Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:42.448{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA480FA1F506CBF52ABB33186D7973F8,SHA256=FA280DFA49E2280397619C2E0516231111E909B88FBDB0C6E349A12FEA16F9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550217Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:43.983{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADC431CC8051493FBAA2AB710E36B7C,SHA256=713F4C153B066006F13DB06C03CA684C94412748CF5E86F2D8BA3ED946679ED5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:43.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:43.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BF121656FF595818EB64FD123F68B6AE,SHA256=95B52BCAD5C136D2388ECAF6CFF3B5301E72B1B044A66475DBBDDBAA99D0CBC1falsetrue 11241100x80000000000000005493211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:43.271{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:43.271{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA05D12D80D4F13689BE1BAC227D3CF,SHA256=FAAF8D092C21445A9049612127EFCC81194044EC62DDE85BA8116894BCF51E23falsetrue 23542300x80000000000000001550219Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:44.985{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EF1089E23F98C20375BFF498153495,SHA256=A3090FC0F6CF888E59FAAB2BBD632849D8A2C16EFB65D1547CA00E75D74B671E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:44.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:44.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68481A5B9FD29C6CFB5D7CBE2050590,SHA256=ABBDCE0A55586BBA2F03DC1A6225F1ED8EB750BDF839D03CFCF5B7504282DDF9falsetrue 354300x80000000000000001550218Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:36.698{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61670-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005493215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:44.240{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:44.240{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=25C68F52C12EC6430B071EE61D53AEFA,SHA256=66B882BF5A121ACB1A8C0A22E4AC971762493D915F04F9EEC7FFAD265BBB01D5falsetrue 23542300x80000000000000001550220Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:45.988{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDD80389A768612681AF0096183DB37,SHA256=C1638779291DCA8B06002332559FDD05A65E657A1790F74FA8BAFF10225AD6B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:45.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:45.630{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64EC3D8BA7E551EDE0A38799F151AC4,SHA256=0BCE99556122F58F41A45A76BC41F2CD32EA2A67E56FC4786BAEC17EBEACC699falsetrue 11241100x80000000000000005493221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:45.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:45.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAF85B55986939434326E243D8FFAD46,SHA256=39A35746D5FB7ED617FA0D6984C0DC16CF60B26479E1791F9B90A458D9B4CB84falsetrue 11241100x80000000000000005493219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:45.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:45.224{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A69FFE465A72A0693E87D495B44545B,SHA256=D5AD8E6D8FEAB8A449A093330F4D7D78C1E6E884E870A254CD7F9A3CF5A148C7falsetrue 23542300x80000000000000001550221Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:46.990{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D64AF308D93974E5ECD80C2DF92D85,SHA256=36938CDE0943278FCAA954F0442F4E925AAF0991BF2C6479C16D5D9E1D163599,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:46.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:46.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAF85B55986939434326E243D8FFAD46,SHA256=39A35746D5FB7ED617FA0D6984C0DC16CF60B26479E1791F9B90A458D9B4CB84falsetrue 11241100x80000000000000005493226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:46.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:46.646{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F303201F5ADDA12CDCAF3C61FC937D87,SHA256=05042C2F01DD98A4C8AE23E75CDD0DE0498D24D5B5355308666D1C01E7BA2B09falsetrue 354300x80000000000000005493224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:31.720{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49725-false10.0.1.12-8000- 23542300x80000000000000001550222Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:47.992{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7CC2498D83FCDA7102C69A1C710398,SHA256=7BDB67C9A02D96F9E4E05286E1036611B283A2AC2E3E69853FBB237DCC8A0EAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:47.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:47.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314B2F408D47331A66F46D319B6A7F41,SHA256=6178508009333F1573EA73D0A1DFADB183F4D585C3B3CFCBDD7B9784B84E2292falsetrue 23542300x80000000000000001550225Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:48.994{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A233909D9D7ACD6FD4BEDAFD5E87266,SHA256=1FDF981C88886224B6B652BE154E07FBAC9C11F08EABC1C3B444B5AE1FB713CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:48.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:48.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174150307EE9AC67C7A9B7BB20243987,SHA256=EDEBF1FE02616F29F56CABDD64A13AD9DF689AA11F1E5C1558FE6259ED69E2C6falsetrue 23542300x80000000000000001550224Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:48.227{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15AD90F1FE5BEAC9C69532A99FEC2BAC,SHA256=6694D3222073E5F5E24DC91817356EF213FAA7887FFD75904DC290DE3F2853B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550223Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:48.226{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=155DFF1F0BB50287D64AE81C84EED115,SHA256=77C4CD4085977E1B9F697D0153B17FC6500721FF1C376B62EA44BB9FCF7FF41C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:48.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:48.583{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2E4C381D5673E29C099AAD4080905052,SHA256=2030E0E6C37CDB81EDA27D478F1AFD6BEAB03601858A8C12B6EDF4E80618A8ACfalsetrue 23542300x80000000000000001550227Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:49.997{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945E5BA6FB05045E5AF54C9BD188CC5D,SHA256=38E51341182FD498B9A1EBFE009BF2295C7432400A387804F1ED350FCDC12A79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:49.755{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:49.755{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFAB4748556F438ADA3F8744D95B5E36,SHA256=C0472C30CDFFFF26CBB997F6231621758B613DA81CE781904889A687BEC7F29Afalsetrue 354300x80000000000000001550226Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:41.829{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61671-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x80000000000000005493250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000005493249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1aa27ab3) 12241200x80000000000000005493248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000005493247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4e0-0x7b998a89) 13241300x80000000000000005493246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4e8-0xdd5df289) 13241300x80000000000000005493245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4f1-0x3f225a89) 13241300x80000000000000005493244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000005493243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1aa27ab3) 12241200x80000000000000005493242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000005493241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4e0-0x7b998a89) 13241300x80000000000000005493240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4e8-0xdd5df289) 13241300x80000000000000005493239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:36:49.646{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4f1-0x3f225a89) 11241100x80000000000000005493238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:49.318{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005493237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:49.318{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005493236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:49.318{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:49.318{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EDB4663021728ADA9A266F459CD0484F,SHA256=43A290146333B341CA8DF770B4A09FA22AC0DA3DB3E2CDFC08E2A5F797EA73ECfalsetrue 11241100x80000000000000005493256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:50.756{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:50.756{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C59A750619796AD5B9B126D5AC94A9F,SHA256=27A236F25646406B96466C1DC6C2D8A6F519F6CAE44433F82022A3A8945A88DAfalsetrue 11241100x80000000000000005493254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:50.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:50.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=770D2B23CE299FF096C07DF38E0E2D51,SHA256=580C2B97EB6FAC3ADAF28A18A9048553DE67340ABDF27534053174524290C3C1falsetrue 354300x80000000000000005493262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:37.673{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49727-false10.0.1.12-8000- 354300x80000000000000005493261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:36.814{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49726-false10.0.1.12-8089- 11241100x80000000000000005493260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:51.772{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:51.772{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF9EF5F3149EFD7302F91922607F0F5,SHA256=9852F7F6AECF098EA8EAC875439D8D0A63D881CF4F31234225901A823E8869B0falsetrue 23542300x80000000000000001550228Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:50.999{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91256DBB25DAC1C1EA849DF88F877EED,SHA256=8C8396C9A6A617E55E9BBA5B49858A9E385AFFBC117DEEC50F11C28AE99624F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:51.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:51.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12400481FACB0A79603F5E6AD28F98F3,SHA256=5F3F8F79806DCF6CABF6A38EC3F29A1EF6C76DB3D4251631B4E32C392C19DFBBfalsetrue 11241100x80000000000000005493264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:52.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:52.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10210D4A950B10F5F9A6A76560D2D38,SHA256=7E317D1F612AE46DBAC461E5F34421E453594E6D874D27076CB97B0B847E9F5Bfalsetrue 23542300x80000000000000001550229Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:52.036{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DC576FC95F0C3D019FA746C0D41E29,SHA256=50B58C1ED8734E7427B48D772D486F06CEA553043F8AF3202BDEE8AE86B87E6B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:53.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:53.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2384BAD7AF458C8482ED973CA2663E,SHA256=1C5CABC1AA37F89F11B3718DCC753BB7D43426D0AD642A19A623995498685477falsetrue 23542300x80000000000000001550232Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:53.258{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EECB7F8AC92D7C6951A885187DEDD6FC,SHA256=2EA0BE9103C608396B3CFFAF6D5E439C6CC86052A0863809E13B81ACFBA3EF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550231Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:53.258{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15AD90F1FE5BEAC9C69532A99FEC2BAC,SHA256=6694D3222073E5F5E24DC91817356EF213FAA7887FFD75904DC290DE3F2853B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550230Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:53.089{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B9A3C207D269706D245C7B2EA67201,SHA256=D297BBB7B131CEFF58953984E24776E24F018B593356E2A8B0FC8640FC0C37BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:53.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:53.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=19FDE0DD0279CD359B5CB5002D89EBFF,SHA256=3142DD4305B0620DBF74976819E1901F1F5B3AC8976D1452A9E65CA4DCA9F62Efalsetrue 11241100x80000000000000005493272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:54.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:54.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8886BA3CB4FD591B674451DAA0EAFFE0,SHA256=A775160A6E3D04973A41A6956B410E2BCC2496F6023637F28557D710F00B3BF5falsetrue 354300x80000000000000001550234Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:46.860{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61672-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550233Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:54.122{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509AB70C4858D2C76CBE6D1223C94369,SHA256=E70D9CBFCD94DE92C6718C965244C3CCB784B0F6B8B50E324CFF73E85B08B7AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:54.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:54.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6EE235DACDB452E39754FED5401D298D,SHA256=813E298EC454200B12B4DC638BD04283DA47B51977C310889C0805C5BD0A2E44falsetrue 11241100x80000000000000005493274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:55.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:55.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2AAD831F68B31D23DEED6EB298B4524,SHA256=770A7878FD08BBB61DE2588891DD2F7D8158B9B7434DF2FDE7F3A8C3AC667108falsetrue 23542300x80000000000000001550235Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:55.143{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FC0E238F371AA3E3733CD1D4EFF122,SHA256=F337D18AA065343F540F1D8564FF71B933C9EC9E45004CF8EF4C285EAA671F05,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:56.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:56.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9042B672D5E64F28664815576F0568D5,SHA256=C6FBECA55AE43A2E986619F9115B5E608D06680799E63D5ADA754CA84D67877Ffalsetrue 23542300x80000000000000001550236Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:56.145{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F82CF7C91BA6896F5B4AA2E9005761,SHA256=6D7F27F14E454F59495BF68CE5080781CC005891AC4EB7FEB41A3E8D8EC102F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:57.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:57.866{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881582509FF5687106D7C41A06501E40,SHA256=E00A32FFCF009F81DB01FBCA9BF10A3DC01CAF26930AD37122303D6B1530910Efalsetrue 23542300x80000000000000001550237Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:57.151{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C48007B8A29F6DE2DF021626CFEF245,SHA256=8D54DA6E5777923AD7A63ADFA4BB472F5A13EF4E0389E65963BBA07E96BF8604,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:57.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:57.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=133263D499C056FB6A486E518DCE2923,SHA256=691CF8A900C17EE3A9A7F31E1EF77E489B22938E05B27525259F0F241C15B3DDfalsetrue 11241100x80000000000000005493278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:57.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:57.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=784A0F36D890E666199E4FF55969F573,SHA256=36746DE3102CF226245659205888DA832148A23B023D1A47A9D71E2B2066D5BFfalsetrue 11241100x80000000000000005493287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:58.881{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:58.881{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F6F6A95FF893FA4551651DB96ECDA5,SHA256=5E233FFA65DA269F0435DD702E9D032AEC3F042C44FB89D8877E4C7F28D77B02falsetrue 23542300x80000000000000001550238Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:58.199{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=200592EC006EE1504C1D3A5670C11215,SHA256=D5295406E0E51AED829BF6FC66CB71AC32CA4019F70264BE30AD28374DE73BEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:58.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:58.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=83877E0620E86407E76FDF4B3DDEDB30,SHA256=1DA3BE36D28CB720DED9304E51E6ABAAE21072887754627BFF6D555DA97D295Cfalsetrue 354300x80000000000000005493283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:43.549{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49728-false10.0.1.12-8000- 11241100x80000000000000005493291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:59.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:59.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C8505C225206C315D832C05C2B3DD8,SHA256=521BA675FC49E70BB4929D83CA67B79608F55EE418B8F048F28BF528C6CDD25Afalsetrue 23542300x80000000000000001550241Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:59.200{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18FEBAC00C73C55E0CA8EC01E447ADF,SHA256=6E7D6FA751AA224E31C9B97E325463E85A55CE055C7FC1FEEED6AF6FF2566A58,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:59.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:59.506{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=322D2916269425ED1F944067EB0644AB,SHA256=23C92CFE7B184B8CE5FCAA3614D2C052DC024DAEDDE13C4E15196A121EAC4D45falsetrue 23542300x80000000000000001550240Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:59.032{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDD4DF365F3446F375D1ACE5E6106783,SHA256=371C717E00EB1634C79FA6AEAFFD6D83F04246EEC3281D03DC38DAB61C8E0712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550239Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:59.032{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EECB7F8AC92D7C6951A885187DEDD6FC,SHA256=2EA0BE9103C608396B3CFFAF6D5E439C6CC86052A0863809E13B81ACFBA3EF39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:00.912{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:00.912{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8F8DDB7D147651544D014AD4A0AEEA,SHA256=AE74843C102BDA636B203853596DE8D88EA3028635ED8FCCEA93F733E36E612Efalsetrue 354300x80000000000000001550243Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:52.634{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61673-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550242Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:00.234{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D1EBA8D0A87E7381F713C0619FAFA0,SHA256=70AB696BE84BC19F69E4194E9EFABEC5320CC55FF2187000F0384E34A8B8062B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:01.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:01.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50D7B7180CC5517C677FDD3479CFCA7,SHA256=E823519997A6CDB8276DFDECF5AA527022485D27DD4158D3FA13E392D1C6D4CCfalsetrue 23542300x80000000000000001550244Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:01.255{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC67E965E0506389675CBE885B04135,SHA256=22F0EBD78D896E5A5F7501969098A762F02D072E4E43BDDDC3B78F73F1455C95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:02.944{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:02.944{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D191C84A2327AE52A7341C47735A96BE,SHA256=D0CE289B665AB3E4E347FB82545097880BFE3D5BC50CC1FA5DB6B53B3D5DE90Dfalsetrue 23542300x80000000000000001550245Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:02.275{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D953BE3CC545271A8B0995D1D78EAD88,SHA256=EBCFA5D2285CD369167C9E369430424B2FC5D048CBBF3220B6F726DDC300B371,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:03.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:03.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01395F7F9FA93C000F43C577C2168771,SHA256=54280FF1484827C61076ECC79E15602B0418FDB93600DCBBAE66BF167B0DE75Efalsetrue 354300x80000000000000005493302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:49.580{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49729-false10.0.1.12-8000- 11241100x80000000000000005493301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:03.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:03.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=598F3947FCFCF3EE0BBB73963006F8A9,SHA256=06989AB9D2F31FC7AE7CE689A7D332F133AA4C8E156DA76DDE68443810B61C31falsetrue 11241100x80000000000000005493299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:03.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:03.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=133263D499C056FB6A486E518DCE2923,SHA256=691CF8A900C17EE3A9A7F31E1EF77E489B22938E05B27525259F0F241C15B3DDfalsetrue 23542300x80000000000000001550246Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:03.293{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F294D244894F814831F48F3E47C720,SHA256=7C25943388AE7981C7EE95190A79FD8DEDB31F2AD303A808099C6C01BFA9800B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:04.537{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:04.537{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=280D631707C57CB6BA2339D3090EEA22,SHA256=F40A3AC38D1EBD9822CB88450A16D2929235380D48BFDC52C9DD17BEEEC13785falsetrue 11241100x80000000000000005493306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:04.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:04.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F0549937F8E662EBD8C82083CB29A5,SHA256=CD3AAA102C8B7062974068A6DD27717E3C50177D25680201306D4470BDEDBFA7falsetrue 23542300x80000000000000001550249Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:04.311{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A0F6F6BC2B7FE72B3F4642C0AADC9E,SHA256=6CC59D410F9F114F63DF7507564A675E45848CE6391CA347755FA117582EC0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550248Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:04.195{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD6AA94B508C0792884458C5E487FAE1,SHA256=03C5D79C98AC721F6007DE09E89A39945AF57DD7111ACF11F7BCF82059F1924A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550247Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:04.195{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDD4DF365F3446F375D1ACE5E6106783,SHA256=371C717E00EB1634C79FA6AEAFFD6D83F04246EEC3281D03DC38DAB61C8E0712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550251Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:05.362{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AB56C3AC63C659F543BFB4F3292AB8,SHA256=E43FDE9F738C97C9EAD288E6C004350BE9F69C7598A88360BAFFC3AEE2CC4C26,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:05.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:05.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A800399C855723DA223718899E6FC9F2,SHA256=CC6F4955D4E3F697531A06204C954E4A357179EC187B4FB91DC6FBE9A989FB88falsetrue 354300x80000000000000001550250Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:36:57.798{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61674-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550253Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:06.532{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B933B7F197D08644717E6DCDB309692E,SHA256=5154500374EE0F0FA4FE5292901C8404877E5FCA08BE61DEF8A5DBC6CCF70C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550252Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:06.370{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1182DE93FE34EF793D39F3704FCE5738,SHA256=1684A0C19F8159F2B6E7F53B90650530A41D57D2C6779C5CDCE076CB00F10A59,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:06.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:06.694{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=598F3947FCFCF3EE0BBB73963006F8A9,SHA256=06989AB9D2F31FC7AE7CE689A7D332F133AA4C8E156DA76DDE68443810B61C31falsetrue 11241100x80000000000000005493312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:06.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:06.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7B1D1F6906BCBEF3A854A0B0F9C857,SHA256=124E52894A363401B73BC0A6D9A6A94F6E080487D182EF0D8A9B282E0A1BF3F6falsetrue 23542300x80000000000000001550254Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:07.419{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C3A79E2F7920DAE049D7A244A19E0C8,SHA256=4DF404FCEFE630F3826BAE22F4D12770721FCB8FB1EA1161C5D6D8226931F781,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:07.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:07.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3EC580038A08CEF73772938989FD244,SHA256=0755A90839DDB46914D2BE14EFCE815D69314F54B03322C897882A6635CA4D09falsetrue 23542300x80000000000000001550255Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:08.421{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706FD01C3C7F550BE5BA2B730A74F1EE,SHA256=6DBBBF0ED575667A17C99C30A71243CDA45525EBBC4BA22ED7FE86C75B0AC0EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:08.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:08.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E3E61AC5B22A450CC7B23A54EF2C3A9,SHA256=4B6B675B23960A1B2332107CC9F7FC5653A0AC8A0A4E317D84615D05E682359Afalsetrue 354300x80000000000000005493321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:54.580{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49730-false10.0.1.12-8000- 11241100x80000000000000005493320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:08.412{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:08.412{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9DE2F34EB6BBB7538EAF4A1AB65F9A,SHA256=CA794769E16B9A3B61297976D3CB823B8F4A3CD3C4118135F571EB23F90DAE77falsetrue 11241100x80000000000000005493318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:08.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:08.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50C0D0434E339F5029127E9696CEF0C0,SHA256=27272289E74CE86BECBBAA654AFB36F9A76591D7691393C336CCC7859CA25B42falsetrue 11241100x80000000000000005493327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:09.631{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:09.631{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=52759F2F78570E33EDA5691AF0634084,SHA256=1BDC555690CB04D12DB311F60105D1FAF6FBC4A18492DD82E6232F9E811564B8falsetrue 11241100x80000000000000005493325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:09.428{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:09.428{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5843E3ECA95C20A08DEA8718C0E509F,SHA256=772EC8984E13FDB1247B724BBB3E81E0CCB0E242D30C8FDE38064A4475AC305Dfalsetrue 23542300x80000000000000001550258Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:09.438{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480732ECC25581A56BB6526DD56A7B2E,SHA256=F0FE1D9E8C7B3EB00BEFBD7813FB41A0405425B770BA21F9AF4EBC43ECAC43FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550257Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:09.274{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09BBA398A187D5386645A203A1E6ACAF,SHA256=53D1D52E272D4B9BD04AD3AB5EF69609103222457E0E557A541B5CDB62AAB8BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550256Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:09.273{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD6AA94B508C0792884458C5E487FAE1,SHA256=03C5D79C98AC721F6007DE09E89A39945AF57DD7111ACF11F7BCF82059F1924A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:10.475{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:10.475{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7513EDB5C8FFEABE4EC6068F609FAA5,SHA256=8CBECA4EDFB96622EF313CC909483F2F72418A293E389758EE46008B6515835Bfalsetrue 23542300x80000000000000001550260Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:10.455{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02CEDB46644987A887F364095A8F2F83,SHA256=E22F799D2F0B64992B8558327DAA971E9E86472FED42B805724DAB85BABCD614,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550259Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:02.810{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61675-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550261Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:11.457{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A186D21DCED2136E94C25E696939E19,SHA256=31541E40E3D5197454BEF05FCAA684669D43BABD0CA731CFA7036E34B726D089,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:11.823{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:11.823{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1321C8C036BC93EB0C1F577A72DC671,SHA256=CE643F658AC97CD4A1799E564858D7480631B4D3350279F333E5CA1F9A8598CCfalsetrue 11241100x80000000000000005493333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:11.495{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:11.495{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBE040FC333CB936182C2C3D13AD0A4,SHA256=4B00F6E9D7A45D04056F0EDB08F09139A543C8DB2F2AA481109C388F4CE053E5falsetrue 12241200x80000000000000005493331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:37:11.230{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005493330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:37:11.230{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000001550262Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:12.476{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C0CF9E928645A1C26249D0948C17CD,SHA256=459A9C2650ED8FACBAF50AD9C450B3F87FEB5539A10221FDEF1D9F4973421CB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005493339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:58.741{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49731-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005493338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:36:58.740{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49731-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005493337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:12.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:12.527{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817E7588811D9E6C71C8B81D64ECF529,SHA256=A5FE8DCB5A8342C18D3FC147AD0F15A25C70DAFF9430FAAAE4215DD8243B0E6Ffalsetrue 11241100x80000000000000005493343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:13.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:13.855{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8FCD6513D1440FF9D7B94A343F5601AC,SHA256=F5EE44B48488D4BE205ADF7EAE0FE38D48E7BDF9A434BFCA22C288A5C5F7BA62falsetrue 11241100x80000000000000005493341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:13.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:13.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4258299718821A67DD181978AFE56D,SHA256=DB2EFB1905A7DF6C393F4D4ADB6FA1240309694108D694A3DE465B012BC967E0falsetrue 23542300x80000000000000001550263Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:13.479{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A87FE68ED9DBCE5352B061ED652F59D,SHA256=DD991CBD4828408C6E63C576F816519B879DE3BA4E512339EDA9CE97E111AE27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005493350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:00.615{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49732-false10.0.1.12-8000- 11241100x80000000000000005493349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:14.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:14.698{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ADCDEB43F06AC2BA8B5524EC785D44E7,SHA256=25C7071EC81B99563FE2E8FAF3B3B3A59EC55D7E468872211B68210B31F02353falsetrue 11241100x80000000000000005493347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:14.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:14.558{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E413851E66CCF1254485B8152A27F90A,SHA256=3DC33CCDCB8A624F26E55F2A873057FA990B14A79B4C4A1554A9DFA6A75F069Dfalsetrue 23542300x80000000000000001550267Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:14.717{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550266Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:14.482{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FDF5F51CB77B18D4757FDB1B4898CF,SHA256=652721E61E4EB7AEDCC2FDC6EE546DBEB893A0AB1218D112622D09CEBE00EBE5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:14.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:14.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FBCD06F5AB1BE31D2D759F418CCCC1E,SHA256=FDC08B40A3CC3CA1B67477BC4260F89C68C8046C7D2073C62F5727831F2F7242falsetrue 354300x80000000000000001550265Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:07.834{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61676-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550264Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:14.248{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09BBA398A187D5386645A203A1E6ACAF,SHA256=53D1D52E272D4B9BD04AD3AB5EF69609103222457E0E557A541B5CDB62AAB8BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:15.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:15.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6A33112BC435002A1C3C4BD4B344A3,SHA256=87BB5F9CFCC94ADE89E5C1C66C7F2EC3132EF55F185B2BE48BC8920FAE98B600falsetrue 23542300x80000000000000001550269Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:15.719{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC9E31D2A0C5251E0C4C590B3427D90C,SHA256=EC3BDD4C4FE90E30E826602D5A8ACA78AAE49DAC6650E60B4251ECFB7FE20583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550268Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:15.535{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DC41367CBF322D983666B3608BF2CE,SHA256=C777A13D35E633464225B74E5C7CBDDE058887CCD15E896D472ED5215E582E54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:16.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:16.636{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFB7AC254C79DEAECCF9DAE56032B1C,SHA256=C9C7ACCF66968ADC2FD56AF182F0B9F07576BBFA77103868052B1A0E175D98E7falsetrue 10341000x80000000000000001550278Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:16.768{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-10EC-6139-89D0-00000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550277Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:16.768{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550276Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:16.768{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550275Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:16.768{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550274Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:16.768{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550273Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:16.768{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-10EC-6139-89D0-00000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550272Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:16.768{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-10EC-6139-89D0-00000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550271Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:16.753{AEE49BD1-10EC-6139-89D0-00000000F101}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550270Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:16.567{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCC0F9A0BBB1B8D6091CCB96A562270,SHA256=4FA51C26CAA8464ABAB38556B83357619E5BE13B59AC8FDF2648CA708C3E237B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550290Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.786{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADFDAECD4264158BA3AD76695E1ECB24,SHA256=EE0798BF344C9F41A37949E7DAC2F56A4298AA5456D68DF711509889234A9D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550289Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.589{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A9A5AC7A98582F71A60C1B0E9D7CE7,SHA256=DCF9C6E16C149B48D584F59B21930C41777946ED7D696531F0BD28F6FC325A3B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:17.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:17.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D492BBFF6F56EF08D81E72366B8A53,SHA256=44C37F36835990AEF7837757B390476A191B381DBECC82795991501278BE041Efalsetrue 10341000x80000000000000001550288Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.568{AEE49BD1-10ED-6139-8AD0-00000000F101}54481056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550287Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.452{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-10ED-6139-8AD0-00000000F101}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550286Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.452{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550285Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.452{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550284Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.452{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550283Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.452{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550282Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.452{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-10ED-6139-8AD0-00000000F101}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550281Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.452{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-10ED-6139-8AD0-00000000F101}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550280Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.437{AEE49BD1-10ED-6139-8AD0-00000000F101}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001550279Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:09.306{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61677-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000005493360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:18.917{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:18.917{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A741D3C38DF65C4CE292E3AF56AB133C,SHA256=34934A38B0D3B34B9F305C7BDDD83E2759C563245CD96E76753DEF0958A68CFAfalsetrue 11241100x80000000000000005493358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:18.683{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:18.683{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3EE7EBE5263649DB1D93D54B480ECF,SHA256=5269E6FD4108E135EB0FCDA5332F225704E5B0CD4DD972767FA65ECC35D71C64falsetrue 23542300x80000000000000001550300Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:18.990{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A71CB0B1BCAF5666497987898DDE7F5,SHA256=33EEFCD58871C20E05BA41832F2B9A19DBCD7A87FE3A510F23E1FE8B0F9673F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550299Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:18.621{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90CDB99BFD17DA51EFCCDE9ECC5CD6A,SHA256=E2A6F9C849143DAF1C99D74E9968FF45B4E689707364CF0EE7E984A626B6AB46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550298Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.989{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-10ED-6139-8BD0-00000000F101}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550297Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.989{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550296Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.989{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550295Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.989{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550294Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.989{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550293Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.989{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-10ED-6139-8BD0-00000000F101}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550292Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.989{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-10ED-6139-8BD0-00000000F101}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550291Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:17.985{AEE49BD1-10ED-6139-8BD0-00000000F101}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550301Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:19.638{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C08164FE5037F4CC6FA33D20C8CF64,SHA256=00B7E89A1B4ACA1BDE347B37AAA865466D39A3484C530B31AD0E7F924DE324AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005493420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.655{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7262MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005493419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.654{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-72622021-09-08 19:37:19.653 11241100x80000000000000005493418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.653{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-72632021-09-08 19:37:19.653 534500x80000000000000005493417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.543{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005493416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.543{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005493415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.543{4DF467A6-10EF-6139-90D6-00000000F001}8046444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005493414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.543{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005493413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.543{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005493412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.434{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005493411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005493410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005493409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005493408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005493407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005493406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005493405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005493404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005493403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005493402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005493401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005493400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005493399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005493398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005493397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005493396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005493395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005493394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005493393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005493392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005493391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005493390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005493389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005493388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005493387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005493386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005493385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005493384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005493383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005493382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005493381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005493380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005493379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005493378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005493377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005493376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005493375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005493374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005493373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005493372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005493371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005493370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005493369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.418{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005493368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.403{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005493367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:19.403{4DF467A6-10EF-6139-90D6-00000000F001}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005493366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:19.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:19.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:19.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:19.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:19.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:19.403{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001550304Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:20.656{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43ACB79BAF13B341B1063E06BCF973BB,SHA256=658F734C8E3780245603B0660B6A583250B53985024CD403AEDC399AFE9BFC31,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005493542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:06.568{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49733-false10.0.1.12-8000- 534500x80000000000000005493541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.884{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005493540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.884{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005493539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.884{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005493538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.884{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005493537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.775{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005493536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005493535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005493534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005493533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005493532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005493531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005493530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005493529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005493528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005493527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005493526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005493525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005493524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005493523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005493522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005493521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005493520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005493519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005493518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005493517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005493516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005493515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005493514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005493513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005493512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005493511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005493510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005493509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005493508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005493507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005493506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005493505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005493504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005493503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005493502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005493501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005493500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005493499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005493498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005493497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005493496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005493495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005493494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.759{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005493493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.743{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005493492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.744{4DF467A6-10F0-6139-92D6-00000000F001}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005493491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:20.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:20.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:20.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:20.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:20.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:20.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000005493485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.668{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7263MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 534500x80000000000000005493484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.199{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005493483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.199{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005493482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.199{4DF467A6-10F0-6139-91D6-00000000F001}74044496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005493481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.199{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005493480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.199{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005493479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.090{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005493478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.090{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005493477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.090{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005493476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:20.090{4DF467A6-10F0-6139-91D6-00000000F001}7404\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005493475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.090{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005493474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:20.090{4DF467A6-10F0-6139-91D6-00000000F001}7404\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005493473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.090{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005493472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005493471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005493470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005493469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005493468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005493467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005493466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005493465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005493464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005493463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005493462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005493461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005493460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005493459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005493458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005493457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005493456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005493455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005493454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005493453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005493452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005493451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005493450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005493449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005493448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005493447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005493446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005493445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005493444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005493443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005493442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005493441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005493440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 11241100x80000000000000005493439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 734700x80000000000000005493438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 23542300x80000000000000005493437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=380156F9FC58F32EC6C7D6892EE9C3CD,SHA256=4EAE91E609B65ED00B16BDFCCB5592FEDAFABEF3840E5D0F5AF59EA1D543E31Bfalsetrue 734700x80000000000000005493436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 11241100x80000000000000005493435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 10341000x80000000000000005493434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000005493433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90B9BAA969D3F5A8EC43D833FE8641A2,SHA256=28E6D9B787F9E1026E15D8FEE3A7B7C59C5EFC1D587A182468C11CA80C702A11falsetrue 10341000x80000000000000005493432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.074{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005493431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.062{4DF467A6-10F0-6139-91D6-00000000F001}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005493430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:20.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:20.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:20.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:20.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:20.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005493425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 17141700x80000000000000005493424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:20.058{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000005493423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C387D29B4107F5635D323C36AE6D75,SHA256=7E1CBF580EF3ABDBE61BB9CC63A2680B4FA54EBF1037C122AA702B72F7872E44falsetrue 11241100x80000000000000005493422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:20.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=600812F37AB26372A2C8D4DFD1E4520E,SHA256=7C7595004C7023F8777C391CF9F1FDCEE9173EF18F655A9F5B0651768DC8E096falsetrue 354300x80000000000000001550303Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:13.844{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61678-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550302Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:20.240{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D088ABCBC0C06B67226CADE79FA5166,SHA256=D1D984090A4788652385C6618DB2706CAA52F64E0BD5520BEC40757280B0A41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550305Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:21.658{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A193AD695EC2B924090CDF81A618800,SHA256=A7087360CCD302B9C15656DC4BA8071457254FD00249580D46F129203C15A631,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005493656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.997{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005493655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.997{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005493654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.997{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005493653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:21.997{4DF467A6-10F1-6139-94D6-00000000F001}5480\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005493652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005493651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005493650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005493649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005493648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005493647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005493646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005493645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005493644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005493643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005493642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005493641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005493640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005493639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005493638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005493637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005493636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005493635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005493634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005493633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005493632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005493631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005493630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005493629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005493628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005493627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005493626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005493625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005493624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005493623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005493622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005493621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005493620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005493619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005493618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005493617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005493616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005493615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005493614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005493613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.981{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005493612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.965{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005493611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.966{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005493610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:21.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:21.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:21.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:21.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:21.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:21.965{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005493604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.418{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005493603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.418{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005493602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.418{4DF467A6-10F1-6139-93D6-00000000F001}78405752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005493601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.418{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005493600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.418{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005493599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.309{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005493598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005493597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005493596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005493595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005493594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005493593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005493592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005493591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005493590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005493589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005493588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005493587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005493586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005493585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005493584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005493583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005493582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005493581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005493580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005493579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005493578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005493577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005493576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005493575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005493574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005493573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005493572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005493571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005493570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005493569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005493568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005493567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005493566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005493565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005493564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005493563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005493562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005493561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005493560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005493559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005493558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005493557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005493556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.293{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005493555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.279{4DF467A6-10F1-6139-93D6-00000000F001}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005493554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:21.278{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:21.278{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:21.278{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:21.278{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:21.278{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:21.278{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005493548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4006C1849EC62EB0362B2783955DE65A,SHA256=6E0BF97EF71583B508C3FFD1597089A2503E16875B2C12C0C659B0B7A253369Dfalsetrue 11241100x80000000000000005493546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=380156F9FC58F32EC6C7D6892EE9C3CD,SHA256=4EAE91E609B65ED00B16BDFCCB5592FEDAFABEF3840E5D0F5AF59EA1D543E31Bfalsetrue 11241100x80000000000000005493544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:21.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF71434752A83E970E7757B777D28F2,SHA256=02BD490BEADFDD6B88F2854115475B80E78120E8E82120574D5E4E64A5600080falsetrue 23542300x80000000000000001550306Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:22.660{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D369234CE508447D5E128EEC4548453A,SHA256=68973F182E7F27180F58F27958005CE69276A052773FF67E42397B0F471438BF,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005493726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.793{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005493725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.793{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005493724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.793{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005493723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.793{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005493722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.684{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005493721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.684{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005493720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005493719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005493718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005493717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005493716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005493715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005493714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005493713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005493712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005493711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005493710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005493709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005493708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005493707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005493706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005493705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005493704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005493703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005493702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005493701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005493700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005493699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005493698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005493697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005493696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005493695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005493694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005493693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005493692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005493691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005493690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005493689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005493688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005493687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005493686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005493685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005493684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005493683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005493682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005493681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005493680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005493679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005493678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005493677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005493676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.668{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005493675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.653{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005493674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.653{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005493673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.653{4DF467A6-10F2-6139-95D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005493672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:22.653{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:22.653{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:22.653{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:22.653{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:22.653{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:22.653{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005493666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24DE0273E756BC398AB50E25C199E40,SHA256=38D40A48784B533C5B62D3F3C49516133AEEBAC03569E95A9935CA41A17D2068falsetrue 11241100x80000000000000005493664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795A5CD1379C3755261575F7CF7E29C2,SHA256=40CC4FD4F1DE2DA5D2F4C758393CD90851BCBC19238D84317D6A9DB09982336Dfalsetrue 11241100x80000000000000005493662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EE50798F84009FF5A43B14C7F23F30C,SHA256=807F8D550B1D5D3CC3D908054E8335FECEB42A6AD66DBE862F79BDCDD1BCA4C2falsetrue 534500x80000000000000005493660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.106{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005493659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.106{4DF467A6-10F1-6139-94D6-00000000F001}54806804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005493658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.106{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005493657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:22.106{4DF467A6-10F1-6139-94D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001550307Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:23.678{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3294A2A2A5E643A44AA3F18A619709D,SHA256=A30B161E719AA0EBBAB41C4FD6A2405D0F6B1986ACE3B878FC5F618A856C974C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.668{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.668{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=766A9AF40F06907BAA0E57458D9459BF,SHA256=B7A65359310E9159A9EA09EDE5A25DBF75B7731DADB09EFFCC11A7F6E7AE1C96falsetrue 11241100x80000000000000005493786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.653{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.653{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FF146ADA911E1AC0961EE61B44DC0D,SHA256=5C6CB75CB885979B17722D70FA8EC82C4359EDC408BA571FE773A496AB2B89FDfalsetrue 11241100x80000000000000005493784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.637{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951D364245ABD8410848F84E042E9D3E,SHA256=53892D0C1E530A70D5DF116AF60006BF70A747DD45B86CC7A9223CAEB0AF77C1falsetrue 534500x80000000000000005493782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.481{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005493781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.481{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005493780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.481{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005493779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.481{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005493778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.372{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005493777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.372{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005493776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.372{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005493775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005493774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005493773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005493772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005493771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005493770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005493769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005493768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005493767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005493766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005493765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005493764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005493763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005493762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005493761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005493760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005493759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005493758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005493757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005493756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005493755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005493754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005493753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005493752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005493751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005493750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005493749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005493748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005493747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005493746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005493745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005493744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005493743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005493742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005493741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005493740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005493739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005493738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005493737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005493736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005493735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.356{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005493734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.340{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005493733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.341{4DF467A6-10F3-6139-96D6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005493732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:23.340{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:23.340{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:23.340{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:23.340{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005493728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:37:23.340{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005493727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:37:23.340{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001550308Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:24.680{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2275CDB8661AD0B6452C9DC9A1E12C89,SHA256=8C745B90AA446ACA1055A96431DCAB127711A56FE67F4FBBCF333735556DF243,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:24.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:24.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6D58337A54250209A2EDFBBEC4DC2C10,SHA256=A0860F21756D46D41D59793151577F101DDC7EC64E72840D05337938AE3637D2falsetrue 11241100x80000000000000005493792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:24.668{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:24.668{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB0108849C0D700341DF9AA6A90EB31,SHA256=870E2EC3383310E1C046981F33E6DBDD4A424C885C416F88531E6C66C95AECCAfalsetrue 11241100x80000000000000005493790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:24.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:24.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=84462A64D3104CA8B8B40E13386E2E5A,SHA256=B1B1F9BB2261642660CAFDAAA87C18E105623D4DA2D606CA7F611D72A19BFCEEfalsetrue 11241100x80000000000000005493798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:25.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:25.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E395517E62EDF0513943BA5FBBB9C561,SHA256=C5BB486FAE7D956EF2AB1BED520DAA7DB8543EF7F156EE0FBCE32B0B370C7D58falsetrue 23542300x80000000000000001550309Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:25.682{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AECD84EC382A500326D445D0288C9F,SHA256=0876DEB30FE500171F6EFEF224BAAA0B36D124A39B35800BA9BEF241099184D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:25.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:25.215{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5717A8112F1C935BF59A7DADD0F0EFE3,SHA256=D16F0FBD0F93C7CB733D59A144EF1E7E66D18D53248AD19EC67E8BB1A46725ADfalsetrue 11241100x80000000000000005493803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:26.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:26.793{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83515667AB4117EC2FCBB2DB7D2930F9,SHA256=F7EBF8BD443B37C78EC1D268291AA2CFE4BEE0E494CBB4CF415354FB04A55597falsetrue 23542300x80000000000000001550313Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:26.704{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA113A924E422FBA8D1B552FE98BD78E,SHA256=90E07EE9A13E91FB8C4058AAE9F8532CBD5841F63AB1ACB19BDECF1924CEA98E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:26.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:26.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37EF6C4AC3ED38DA885AEAE610151114,SHA256=576EE928C766057F7C55BB56D0D8619D93E7FAF452771E201176CB9CB7A46D52falsetrue 354300x80000000000000005493799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:11.710{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49734-false10.0.1.12-8000- 354300x80000000000000001550312Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:19.685{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61679-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550311Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:26.083{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE501579D9DC6F44AAF78021806C5D36,SHA256=F2B0BDD8D2B3FE1CBA47CD1FEDCE857F5E851961F3DB4E99EF481DB35B546F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550310Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:26.083{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C01368D0AFA179300513C7B94373B49,SHA256=54E94DB7EE6D1E42C6DF0E618ED48E25045578EFB53E7CF68E715E1631F1C50A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:27.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:27.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB4AC007E6F274BE73329F67F248F96,SHA256=29D4312A46C600AFC872E12A3FF92306E810FCB4CFCA522985596DBD54F5A99Cfalsetrue 23542300x80000000000000001550314Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:27.707{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B03079774B76C19E6E1F13351DC00AA,SHA256=D3F8A8395C73E9F7E3A307E37475602616DB382C1892E59B6998A338E60EB83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550315Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:28.728{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1099DC4B7D39F423F7BFA0698FF7DAC1,SHA256=57BD60C39FF3CC4901F19A2E10A288F6C80E00B9F8614A35B0ED3FCE5B9E5A67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:28.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:28.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0295B26DF9E8792639495DAD18747B69,SHA256=BEDB1512A590725C1B0DA839CA62AFDFBD330A8649004C70C784D55F5485FD16falsetrue 23542300x80000000000000001550316Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:29.730{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9280732F1AD91E4892AD577F9C603C46,SHA256=7CFAEB5B7A1C52F539D1127BA28CAF6F1065146495B1A7947D07C84E89090BC5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:29.856{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:29.856{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BBB47E83A77DD321266D02379D43039D,SHA256=6B7620D0B38F822B49F4041B5E01B435164AA6E4820631E00E59EDFDF84B8D53falsetrue 11241100x80000000000000005493811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:29.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:29.840{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4562317A0F2FD35DBEC86CE6C05C9E,SHA256=DB881A0B828466C7996EB7248C8DECD67345154344BCFF290576B8D4C150E952falsetrue 11241100x80000000000000005493809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:29.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:29.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4669E0A57884D0A08320BDDDA9E3C390,SHA256=47A1BA1658CB71E5D82B8FB4CDBD2231A08CB83172D3B17257D0A0198C200F74falsetrue 11241100x80000000000000005493817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:30.938{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005493816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:30.938{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=769EC7AB0BC0FA6887C199A94798AAD6,SHA256=744EA5FE2E1DD0F49F8B34370DFF9448D81842627AEFC1B6E8AE952F22F0BB45falsetrue 11241100x80000000000000005493815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:30.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:30.844{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F317CCC8A1697D881CDBAB5CFDC4D519,SHA256=7D2DAD639D5EE64562299DFED11EBB923DC7222B33841304FF8DDF8FC14E10CEfalsetrue 23542300x80000000000000001550317Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:30.732{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F677AA2E7A0DD20B264FC5EB90A19B,SHA256=A241AC79D745764BE8178468B9BAD4D0EB6FFBF0EBC35E483A8D2B76E52D4055,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:31.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:31.860{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1155471D882648C67B9EF38AA3F9946E,SHA256=56E52C2E25A352A35D39A6272D63ECEC745B4B573A8AA675168EAD5727F72A65falsetrue 10341000x80000000000000001550327Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:31.818{AEE49BD1-10FB-6139-8CD0-00000000F101}3526036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550326Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:31.734{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097CCDB6E1B00826D4E8EF986000B9D1,SHA256=6314326F1F34A1BA2C4C2E093A1181BE303EDF0E92610B75966B968703A1A955,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005493820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:17.647{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49735-false10.0.1.12-8000- 11241100x80000000000000005493819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:31.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:31.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7125E3A194BD8B2F326EEEF917938C5E,SHA256=AB48DDCB30F60D4F03DDED54897BDBF0E17E04AA303328C9221D1DE234AD2436falsetrue 10341000x80000000000000001550325Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:31.697{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-10FB-6139-8CD0-00000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550324Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:31.697{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550323Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:31.697{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550322Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:31.697{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550321Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:31.697{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550320Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:31.697{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-10FB-6139-8CD0-00000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550319Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:31.697{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-10FB-6139-8CD0-00000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550318Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:31.682{AEE49BD1-10FB-6139-8CD0-00000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005493824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:32.875{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:32.875{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B7D8297F3191F44F6758DC958D9860,SHA256=1CE3E3BD593017EC624B0AA71A2AE4A423CFBF90B91B8B163F30B091F2603FF9falsetrue 10341000x80000000000000001550347Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.968{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-10FC-6139-8ED0-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550346Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.968{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550345Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.968{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550344Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.968{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550343Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.968{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550342Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.968{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-10FC-6139-8ED0-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550341Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.968{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-10FC-6139-8ED0-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550340Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.953{AEE49BD1-10FC-6139-8ED0-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550339Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.852{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBCF50775F81DDB5180DE30F59899AD,SHA256=0A72F2A420E119438ECB709FC586F41A7218055BE09C37D9D90C71A58366269D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550338Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.482{AEE49BD1-10FC-6139-8DD0-00000000F101}51044184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550337Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.366{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-10FC-6139-8DD0-00000000F101}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550336Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.366{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550335Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.366{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550334Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.366{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550333Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.366{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550332Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.366{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-10FC-6139-8DD0-00000000F101}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550331Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.366{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-10FC-6139-8DD0-00000000F101}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550330Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.351{AEE49BD1-10FC-6139-8DD0-00000000F101}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550329Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.134{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D8DA823FC9DD1A2D3163DFEAFDA54F,SHA256=54E1C6797629EAB8E6FDBACD773ACCBE2D56D3C190C3737C9916C753193EF573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550328Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:32.134{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE501579D9DC6F44AAF78021806C5D36,SHA256=F2B0BDD8D2B3FE1CBA47CD1FEDCE857F5E851961F3DB4E99EF481DB35B546F0B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:33.891{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:33.891{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541E66616C54F8CE14C3778722033603,SHA256=A49054E07CCBC2D223CB99010F3080F951F13F8B340E716A907DD225592AE2A2falsetrue 23542300x80000000000000001550351Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:33.853{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B68CA4F307C4B66BB2758F8E99D1C85,SHA256=610B616E5E6AC10128767C6F764290D3135ABFAD96416ED9445BD889A663084D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550350Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:25.668{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61680-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550349Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:33.368{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D8DA823FC9DD1A2D3163DFEAFDA54F,SHA256=54E1C6797629EAB8E6FDBACD773ACCBE2D56D3C190C3737C9916C753193EF573,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550348Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:33.099{AEE49BD1-10FC-6139-8ED0-00000000F101}24083772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005493832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:34.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:34.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C7135D47B18EF402E14D5B7AD04B9465,SHA256=249321723209EC3FD59B7570D7D89F9A521B902FBBE68CC851225E2076350994falsetrue 11241100x80000000000000005493830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:34.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:34.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9B63F05F3F66F94376042FD2119D50,SHA256=5DA376DC54E4A6DA5B218AC64BE4954357C42B0DAB9FC87886282CA8F05C8FFBfalsetrue 23542300x80000000000000001550353Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:34.856{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364211EBB845F89DA05B89C5580D8EA2,SHA256=A719C6E15F042DEEBD406F7F1AD0B406D96EBDAAC07F4B9C2F9A1153F9FDDA83,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:34.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:34.157{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C12998C5F946F9CD0ED17372C83FB9D,SHA256=683759FACB8739A505D51307B770439B65FBB6A52FBA6376D95AC7B8F9C24C6Ffalsetrue 23542300x80000000000000001550352Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:34.841{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7253MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550355Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:35.887{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF535D0DA30126D76CF8E7C8CBBCCEE,SHA256=FC549FDA1DCD8D4C28EB8C1ED81A8CEE60ED54B1B7D2572F9B984A7311F16F48,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:35.922{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:35.922{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9209B246A6AE9AF79C468DE6AE62D6,SHA256=0231E3678D0E3FDF872BD7DF08E89B3FEB15EF59354BB8C9320BD17C35CF2237falsetrue 23542300x80000000000000001550354Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:35.843{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7254MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550356Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:36.891{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A73E7EDEDDA7A2DE75FCE933CAF1033,SHA256=C18BA7EE0AF13A58A20CD9D384F3F9A14C4B23CA230967983F81DD42A201F5FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:36.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:36.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10360B83D6D02ED6217D5F4A21FEEBC9,SHA256=F9A907E9B7950D95DEF5944077C07DC0337C5593B52939CDB59726D60C0EDC3Ffalsetrue 23542300x80000000000000001550357Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:37.893{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDAA1C5D48C37A5184640FC3527919D,SHA256=30DD89BE064A0C5CE6A6CADAD8B76EE166BD651D65BA142AE5468BE3552F6D51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005493841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:23.573{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49736-false10.0.1.12-8000- 11241100x80000000000000005493840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:37.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:37.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C576C5A18F972F523A0D057A745A8C93,SHA256=E3D7098B5A888ACAD690A0C219D51B314CC68E440B92B18423955928F18B9D31falsetrue 11241100x80000000000000005493838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:37.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:37.141{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA71C4B333DC4DAC68E323B189D8F309,SHA256=87046AF54CB2502B58F8A66B3183234473B102C0B8F42C4FCE17DC5438314151falsetrue 23542300x80000000000000001550360Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:38.930{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C70858849C28EDC300CC88DCC23CEF,SHA256=211BF219485AD08937A8BDB71873059CAB29271D4D5F18106ABD5221B655CE64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:38.063{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:38.063{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DED3CDF2CF6ABC146F33767ABFCBF39,SHA256=5D4C9C7BD7136C70E52607B0A791FAD4C08DFF1D4E4C5BAAA23C009BC2ABBB6Cfalsetrue 354300x80000000000000001550359Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:31.680{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61681-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550358Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:38.078{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6279AFFC174A3C795F925B8C1B451E7,SHA256=90C57A7B44E667DD6777FDA552F92ECCCC381090DB24A01D28FD82F7F95FF59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550361Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:39.951{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8253E6B92CF3F32FDDB2C7BA03DFB0B2,SHA256=DDADC2FC2E7B8E44BE80C3F1F2E5153B82303895C3C9249BCB5E67FCB97D84AF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:39.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:39.985{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5315DEEE8D056DDA89FCD4A887BFB2FA,SHA256=678E89F29E0A42A965A08B3AFE9EEC104B3EDB5462774EB3D5DDAB8BBA5CCC40falsetrue 11241100x80000000000000005493847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:39.454{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:39.454{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F38B0E692860E644FD84A6BC739E465,SHA256=F6FABAB35ECA83714EF77DEE3704CA314D00EFC89DF3486E654C3D6122A10689falsetrue 11241100x80000000000000005493845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:39.078{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:39.078{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A689A4093B5960E284E54F325996C9,SHA256=2D09CCEE27CC5D6862ED0BF0A31985428FD8499E657F31E80630BC507B21DB8Dfalsetrue 23542300x80000000000000001550362Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:40.953{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14277099F5A8FAA7CC2E905FF1C24B2,SHA256=B9515A971706517254D618AFB6D1F59DAD5FAD6EC8340091E5C0F04FA0F062B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:40.188{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:40.188{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EE18947942669BA28CFAABCE701F8C,SHA256=989E12EA5C7FBBDD0465D3F8024555258166999D59A7C747DDD098D061CC83CCfalsetrue 23542300x80000000000000001550372Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:41.986{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=920AF066FB7F963BB896E6D577FE07CD,SHA256=3D5A495945106320E52E4FF20633911D214621E6CA846A9C26491E511A147DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550371Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:41.970{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C9F36B69EB7A9C73EBD3D3C70CF429,SHA256=3D9D7365910A35876034FB993444FA903A0EDE3E95A6BF82D39650EB6418B567,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:41.203{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:41.203{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137C3458E30FBD57112031DF25CEACFD,SHA256=5A45F10917039AA88FFA7A64EC61D686CC16BF647793F492DD140FFF2ABB357Dfalsetrue 10341000x80000000000000001550370Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:41.470{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1105-6139-8FD0-00000000F101}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550369Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:41.470{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550368Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:41.470{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550367Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:41.470{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550366Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:41.470{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550365Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:41.470{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-1105-6139-8FD0-00000000F101}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550364Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:41.470{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1105-6139-8FD0-00000000F101}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550363Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:41.455{AEE49BD1-1105-6139-8FD0-00000000F101}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005493855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:42.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:42.235{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D16B8FFD367962CF1C003DF4A10177A,SHA256=4D81189237609281FB77605C73A50D88CB3728986935DBEF6A42380EA0D76122falsetrue 354300x80000000000000001550375Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:36.739{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61682-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550374Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:43.137{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DA9D5439A44F12B54A315D7C475440D,SHA256=97EC2621A0481F10EFDF8C32539CBE4F1E59DA91F199955D471203C993ED1BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550373Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:43.041{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C125E6A46A3FCCB59C4E3B62A884511,SHA256=0D4376FEB74DF7A057BC23C474E256E3960232556D450D2332B3F839E9FAA7E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005493862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:29.588{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49737-false10.0.1.12-8000- 11241100x80000000000000005493861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:43.250{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:43.250{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771FFBE61459CA351D4595D40236DDC5,SHA256=D79F287EC4530615A2C17FF1C53C21525A5804F6ABD3B33E8FB645FA9C30C8B7falsetrue 11241100x80000000000000005493859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:43.110{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:43.110{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A114EE95FFF2DCABAD4E03267FFD9DF,SHA256=8BBC4968289493137B04A56B36756A4385019AEF0FA1C327FC2FFC69356430D8falsetrue 11241100x80000000000000005493857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:43.110{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:43.110{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C576C5A18F972F523A0D057A745A8C93,SHA256=E3D7098B5A888ACAD690A0C219D51B314CC68E440B92B18423955928F18B9D31falsetrue 11241100x80000000000000005493866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:44.422{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:44.422{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=13A9EF1651D614DB77461295606B5C6E,SHA256=873BD98C6CAE4D665E92D58760A4E5E11571B8AA089906E447149FDFF40AEF24falsetrue 11241100x80000000000000005493864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:44.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:44.407{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C3520F63F20D59576ED072A8388CD4,SHA256=009FD8BD5D8265421439C00841F838D061D0BA01E37036CB2DC94271906DBED8falsetrue 23542300x80000000000000001550376Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:44.043{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0DF4AE27C6280A0B99B5000462BCC7,SHA256=18FF40A9B9FD80A9D964A2C4D847FD485041150E3702F349E1AB2C024D140512,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:45.422{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:45.422{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE6ECCDC2DD97271100C90FFE58AB4A,SHA256=CAC3BBEF310BE956EA807EA7B6A31F5F255B92618501C8EA99DA35017AF63929falsetrue 23542300x80000000000000001550377Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:45.077{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5F138461140338A9C30EC63FBE1E23,SHA256=FAB52D20458A7D1BF090C3105631FACAAD2A8AD48A4614E62FF71B457ACC550D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:45.032{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:45.032{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=750E48FF55025C1B80A93829E1175620,SHA256=2716B1872EE6F527427A41FBF1CFB1EC8441D948991208CCD3A384B35EDC4D8Dfalsetrue 11241100x80000000000000005493874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:46.922{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:46.922{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A114EE95FFF2DCABAD4E03267FFD9DF,SHA256=8BBC4968289493137B04A56B36756A4385019AEF0FA1C327FC2FFC69356430D8falsetrue 11241100x80000000000000005493872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:46.438{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:46.438{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31BD4EDC7F699A94F474BF5ADBA0C88,SHA256=19E29C39245571841A31A99800AAB17C5708565B7396D2B43F9F1D880A73BA1Efalsetrue 23542300x80000000000000001550378Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:46.080{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72AFF33B760E521DA12F227D26FC592,SHA256=3AC3E5FA158ED0DEB71504C086B1128408C9BE5DD0A1686CAD091A4288137139,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:47.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:47.469{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7157DA49A6A0FC095CC6B7CB76D71A3D,SHA256=EA50EC3B41A99586DA10ABC14B953C5AEE487FE0935429A4279262C1E4445F84falsetrue 23542300x80000000000000001550379Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:47.114{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD09F410240A00D282EE5D4B4005879,SHA256=E59E4C542F9934AA5817A11E3C106D8715286D68413724BAB5AC09415A35BABE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:48.532{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:48.532{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A743E678514E1B646949910CE70CF0A3,SHA256=06E2195B8EC47286848A5C76FFEC4A49057982D44BEA4D7F407ED0F2455276EFfalsetrue 354300x80000000000000001550383Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:41.802{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61683-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550382Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:48.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7C432328ED61CF9034AC58A0D47C320,SHA256=ECDF71D86B8EEC8A441929C4677898EFA5A828EB01FC01E9546D6DFD7B014E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550381Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:48.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AC094A9BC09697DB92DFC24AFCE501F,SHA256=435D2E6633521970541A08685FA4C93760806D39C230732634AC51C0383F8CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550380Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:48.116{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256736BD7424E1F27D88E3C7D91C94E8,SHA256=8DEFF98ED926A2215B3E15E7C9036F357A8A8014FF007D896466680E285EE640,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:48.250{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:48.250{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D88F6ED7BB72E86FE9D40527C0CDD17E,SHA256=348E0910C13982517AD30830ECF84DBA89EE89B55D794E27A783C7E5A50A638Cfalsetrue 11241100x80000000000000005493887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:49.547{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:49.547{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE8668E129B2E6EA6797FF20CCA00E6,SHA256=8BE0190461DB031BA46ADA5F6E2AF4C652C6906D2C83ED0A8C65B5D6F5C50EDCfalsetrue 11241100x80000000000000005493885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:49.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:49.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A769F6FCF8062B57893FD3197C905C6E,SHA256=67533CAFEB0EA0E7E3CF6B42DF2BD9964841F51CF22A97DB0F86B8315D65AE51falsetrue 11241100x80000000000000005493883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:49.329{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005493882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:49.329{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 354300x80000000000000005493881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:34.744{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49738-false10.0.1.12-8000- 23542300x80000000000000001550384Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:49.118{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E70B38C1F1ADF7EFA735E2293A42B1,SHA256=54B1871D5D12D068A5DF00A850C71B146EE0D17030B6B86C8C0071C883597D4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:50.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:50.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C93A3ABC845132763C7CCF331C9A316,SHA256=5DED660485EE2FDB2ED68319F420B86080A1720E192A7AF15BF2EB90B95CE5A1falsetrue 23542300x80000000000000001550385Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:50.153{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A274685719470BF6336C15F7B88BE84D,SHA256=8443FD557E8F28B55952758D665754B84938A78C0303481EA7A54BDCC882800E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:50.344{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:50.344{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8F67A908C7AA3B99CEE31FDE041E24C,SHA256=FF2610B8002D008379CA33110861BE34503A1239AD6088E2A5C38DBDFBA7F352falsetrue 11241100x80000000000000005493889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:50.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:50.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62254AA3BC658A81B96FE50E09F6C4E5,SHA256=DB9DC5F5B998F3216ED576A96A419514C2A332927CC0B2A7CD76F011E4AF775Bfalsetrue 11241100x80000000000000005493898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:51.717{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:51.717{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEA2D72DE2A09ABC724B1FB70A0C0AC9,SHA256=52C245D1A31DA91089B5307118E193216595EDB05F2092846EC997DD6D2C2B69falsetrue 11241100x80000000000000005493896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:51.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:51.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A02419BB999847C64B02EE180BFE8B,SHA256=C8EA1A58D193B37CF7A8290C87243F04AC7A76345EB6F99CC638CC856FA7E9A1falsetrue 23542300x80000000000000001550386Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:51.175{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93002B09610E7B36048C2ED72D12B68A,SHA256=192A7206265F09E2B8BB3E94401B1D65187D5BAEFD548F1A91843A89E8E2854A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005493894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:36.838{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49739-false10.0.1.12-8089- 11241100x80000000000000005493900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:52.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:52.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE8282903E42080D4598E2820D59D0C,SHA256=73DA22A7F7927122E501F68A4ACC85459543EFD2A1D55D2E37DD38A8C2359D7Cfalsetrue 23542300x80000000000000001550387Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:52.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F3831E814109E70AE8E7EEA68291A2,SHA256=875A2B9145348792A37C54F6DF98B783428894BE89030403BEBE2EB0576BB572,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:53.686{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:53.686{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14AD0E1119F78414176CB44720992B40,SHA256=B8A1BD0E17BFF59FB79ED3678E8797C2FB1E36CE302686DB9215816E72171ABFfalsetrue 11241100x80000000000000005493902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:53.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:53.608{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8416A929115C31B52111610DC59FFDA6,SHA256=9B08C7D3241CAD51C35D61E14DB8BE4B936A3033348EB777AE8F11D022E5901Cfalsetrue 23542300x80000000000000001550388Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:53.180{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B1BD89C467DF4E688684C0E1392F98,SHA256=4787F7558C5C0268E5F4C4CE0B9058B77F49B441E4E7624DCA928225A5EC4DC5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:54.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:54.624{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0DAA36E5567AAACEA983E1DB6232AF,SHA256=9D2C58A9C64F6FF0FCBA24FC7FD4A4BAB315AF0206088A501795649DCD2F55EFfalsetrue 354300x80000000000000001550392Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:47.718{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61684-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550391Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:54.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC733034BB24E617BD425EC0C3B6592,SHA256=44DE27A6964A7146EEB3AA413FD47B55A12A06FF43402EB91D3BC2CD0E724208,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:54.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:54.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=309E3011360D6ECDB2AAEC49D955A3F7,SHA256=3EB172877F5CB3F31CE9E45A1C86B312FA178E8CB3423C1417096E8761CAC5FAfalsetrue 23542300x80000000000000001550390Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:54.114{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04D76718D95B2C59F687D91E7405DDAD,SHA256=3232E46424B4A248CE15AC3FF4C1659AF72ED1499C3FCA2B855BFC4A93E3AF72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550389Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:54.114{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7C432328ED61CF9034AC58A0D47C320,SHA256=ECDF71D86B8EEC8A441929C4677898EFA5A828EB01FC01E9546D6DFD7B014E45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:55.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:55.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5178EF3624DB3B00440A8462243271D,SHA256=D071D617CEAFA3CCCF64465E2DE17F8EA124E75881F2E91D9CAE9600BE2E0D80falsetrue 23542300x80000000000000001550393Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:55.185{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0545B6AAE2BE1BEC8551099A8692444,SHA256=2F11B7CB810237CAFBE2A15A6A41EF99A47BC0DF6B66E565F5C8FCC36F49ED4E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:55.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:55.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E720C8C3731E684970533FD518B09DD8,SHA256=8C7CA47D417F16383951600A63BFDD3F972550C5614D30BBF0CA9C1F8F9AD50Ffalsetrue 354300x80000000000000005493909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:40.571{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49740-false10.0.1.12-8000- 23542300x80000000000000001550394Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:56.187{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86BD89C3A4CF830E2F7AE53F5CED8EF9,SHA256=9AE565FE84EADAC2724DBA288025138945A32797175613C20DD184DA287564E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005493942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005493914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.217{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005493944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:57.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:57.046{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE0F3552F550DA5D6B04A674A56559C,SHA256=817556FEA07B0F8F4938ABA50FDF0723406954581FA67A8A18AD32867B9B0E75falsetrue 23542300x80000000000000001550395Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:57.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C2EC5FB82298C29414B9A3112FA58E,SHA256=D51EDC9A819F8F21873450D575F4D8EFE2CDA4A8E2C861C7E1E9A36FDFFEBB51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550396Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:58.192{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDBF18A094EA23DE3037DBC2423A387,SHA256=F81F8DB1EB07C93868438ABD41F53A6F0FC8D82315C801D6FD2E790257FB4599,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:58.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:58.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B17E75AF49A389785AE8FEC29A5B6A,SHA256=2C1F5E65A86FE28478A8E9B34166EA54E9F1E7D4195CA1B9E90791B432CCD0B4falsetrue 11241100x80000000000000005493954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:59.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:59.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B93FB08E6E1B8F2E7D72F10DEAC028B,SHA256=9384C631327C8381F55A4EE944E8F67E597D1C698F0D5F3EFCA7D255097A9926falsetrue 11241100x80000000000000005493952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:59.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:59.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E170093DB130BCFBD4E8BD22D2B818CE,SHA256=7612FA273BFB7FD30B0A2BEEC00D68EBB726EBBA8BF278C07FED495FC0E7CC42falsetrue 10341000x80000000000000001550429Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550428Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550427Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550426Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550425Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550424Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550423Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550422Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550421Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550420Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550419Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550418Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550417Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550416Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550415Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550414Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550413Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550412Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550411Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550410Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550409Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550408Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550407Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550406Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550405Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550404Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550403Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550402Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550401Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550400Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550399Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550398Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.226{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550397Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:59.194{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3B68611E2E4D73CFAEA5807A0D82EF,SHA256=517E0C58181A65E442A621B95FC5813A8C508C08555DB3EAD7CBF9FDF2973CA7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:59.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:59.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=084161E7F84C0841F16B694C5002FF98,SHA256=A8C6BB8C464DFBD092EA7188C45F8863309918A08D9F97B5A19667D3D18DD8C2falsetrue 11241100x80000000000000005493948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:59.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:59.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=494049F3BC4259F3F37C93AA70271C2E,SHA256=09D34F43CF583B0DEFFE4241C4061B884F349C7467FF39DC8C013E0CBB7B6A00falsetrue 354300x80000000000000005493959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:45.742{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49741-false10.0.1.12-8000- 11241100x80000000000000005493958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:00.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:00.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B333ADE097703B17871D53C9C552F26A,SHA256=09156FD4EE2FE10EF51B8B6D9C1B3E27EFDBB9AA8E55BAB86BD139123946DD8Afalsetrue 23542300x80000000000000001550432Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:00.242{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA388CF8E3FDB8C8758AA2D3A6532D0,SHA256=004DA380637DA8C94B94190C109A6D6291E0C842EBB388E5A3DD70CC469E530E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:00.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:00.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E4AF3AF0ABBBDA93D98B984A10846670,SHA256=F9CC603819B4E8C8C9961D5F5B93D585E664E8785B3B415F4AA6018DB84CAA87falsetrue 23542300x80000000000000001550431Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:00.076{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D386014975DADC24515407F36129215,SHA256=5CA94798D2D5C4CAB0AE733B30594FBCBF70C681DA0333000B8C75DDCDAFEE22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550430Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:00.076{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04D76718D95B2C59F687D91E7405DDAD,SHA256=3232E46424B4A248CE15AC3FF4C1659AF72ED1499C3FCA2B855BFC4A93E3AF72,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:01.342{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:01.342{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D80916F7FD6A220831BEB7DE9D6E166,SHA256=C90853655571FAB5407ABB9D51910C0084F38A161FF747AA633594B558DD83BAfalsetrue 23542300x80000000000000001550434Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:01.277{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764A34D8BCD14C28F52753DC4508A146,SHA256=6B6A39D9B4798112AA6C0D55AE93A354BD9E0725F258D09D5649E80BF4E6C00E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550433Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:53.677{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61685-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005493963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:02.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:02.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6ED839D1A404D169D9EFEF5C45E48B,SHA256=BA5D665729C487ED7423948A2EF39EF5ABC93E2018693D5C1778D1FC08529073falsetrue 23542300x80000000000000001550435Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:02.279{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D437B70B993AEDFDB1F22ABC3784720D,SHA256=E94D38B19CEA65D1E07B03F9F2353C279D2F2878C0F5EC6C8F456C109BC6C8B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550436Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:03.282{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F97D56F2A577F4D4DDA7FE6B212884B,SHA256=8995A69D517B5D1F6B6C08549281AABC8128D447DE6A4C3C0A950B640BE19A42,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:03.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:03.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0460BA5C79BE51514EF2986B4ABB5210,SHA256=FE1E83E06EF83BECD147292A43D43308BC1A134F106CD2974A139A0832CD4DDBfalsetrue 11241100x80000000000000005493969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:04.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:04.577{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=388C358B76767A5D0FD88FEA528D2E27,SHA256=35F51DF751C2A3B043C1DA390C75E484EDD0D86DE9F2D550111A85491C76FE80falsetrue 11241100x80000000000000005493967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:04.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:04.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D973D85E86A3B4B9C6CE5806C8CD65E,SHA256=4230C753B566556A5D4C355BCF632D0FF8C1C23CEFD0AF20315D98A263F70FD8falsetrue 23542300x80000000000000001550437Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:04.284{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E468ADC49EDAEDC7F8248FB11FFBBD,SHA256=AF9043FA22547E4A3B50ADD30D51079589904384B9751082B80B7F22EA616971,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:05.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:05.749{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935DF6507919F1426CB424132E4941CD,SHA256=7AE2A1B56B628BF94DBD9EA48174956274D128268BD5594B02D4786B6A14F6C7falsetrue 23542300x80000000000000001550440Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:05.306{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7BE9C087BA3E18ACA9EC1255210DDB,SHA256=4DFC257089D838A56C210C3B269F89502C8F5C74521908C2C18EE4708E975F97,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:05.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:05.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9616AC64D044F66C6B7D794528F9E84,SHA256=0D9822696A50D27975ACC10022EFB23A1D90E08DCFD504559E84274BF033F822falsetrue 11241100x80000000000000005493973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:05.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:05.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=084161E7F84C0841F16B694C5002FF98,SHA256=A8C6BB8C464DFBD092EA7188C45F8863309918A08D9F97B5A19667D3D18DD8C2falsetrue 11241100x80000000000000005493971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:05.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:05.264{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EA67D3C195B96000909A040B93ADA64C,SHA256=FD5421340914F167FA4E915287A1360792D61962B095B9C7CC658324E0DBF745falsetrue 23542300x80000000000000001550439Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:05.237{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE51E8DBB9502445A7AB34AED462E94D,SHA256=4D5E5DC1C4FB54A5DCDABF06FF4367A0178614EAA4E20BDA09DFD3811901C760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550438Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:05.237{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D386014975DADC24515407F36129215,SHA256=5CA94798D2D5C4CAB0AE733B30594FBCBF70C681DA0333000B8C75DDCDAFEE22,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:06.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:06.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2261E643637530C0CA4366EBF8EF5122,SHA256=7DC1EBA40B69F9202E05A431863D0BA9F8BC5E1A331DCC1556149700C9F2C742falsetrue 23542300x80000000000000001550443Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:06.539{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4E5AD6009417FC57040705FE196F02A6,SHA256=8CD37D999343F27481A7CC6AA38F23C7517653B49474FD43580B19F8C1AA27FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550442Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:06.370{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2905DCA25CB53A276CD0B7C847C215AF,SHA256=A297E58C90530B26F9E76D7FCC40C33DAC790FA2B040D3249EB32FD7F07F5F78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:06.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:06.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9616AC64D044F66C6B7D794528F9E84,SHA256=0D9822696A50D27975ACC10022EFB23A1D90E08DCFD504559E84274BF033F822falsetrue 354300x80000000000000005493978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:51.727{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49742-false10.0.1.12-8000- 354300x80000000000000001550441Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:37:58.840{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61686-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005493984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:07.811{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:07.811{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4E8D83EA7979BA34E0485376D68AC4,SHA256=48A7B80E78E198714E99E43A190CE7D57EF4EDB08F16B8DF91313D4F3E212571falsetrue 23542300x80000000000000001550444Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:07.373{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B308A44B357650E44C3455B61589D1,SHA256=24E7E4413154584D28499CCE8ACA94DA25B384E574CC07D21CE7258F7F0B02AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:08.889{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:08.889{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F99D5029AEF8584A875773887ACEF96,SHA256=E0D1E2B326AE7F4C0DFCC09197384DA25864B06B8768FDC9C1924D4BF5C8153Cfalsetrue 23542300x80000000000000001550445Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:08.375{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2BD97DD024B1F78DBC9FD45F165AD9,SHA256=C36907A83654BF32325A472571D7B70DFFF5C3DAFBB9AA521077A2ADF3B300E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:09.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:09.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D750AA601510BF09DB6ABFA8D3017C8A,SHA256=DB6C22BA70992249B2C5CDF9D94E0E6753FE2D5332939F97C3CF590DDA4D9EA2falsetrue 23542300x80000000000000001550446Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:09.393{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFD3C51B9E36BECEFCB680FC156B2CD,SHA256=A34EE7189DC06FE7F9D4F54DD1FA83C230523DA71029BA4C783BB00EBA135AA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005493988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:09.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:09.561{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3A4C878BAB07FB217C2A6AFA00ACD96D,SHA256=3450E00490C4EB0EDCBDBE86FA6CA1BB3513740BD83770CF34D9DEC2D27D0C5Cfalsetrue 11241100x80000000000000005493998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:10.911{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005493997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:10.911{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A467062D1112AED10144578948A8DE,SHA256=C437BF1BDCC8CF5E2FB047AD769213DA133362332A77270F8C3386EA71A127FAfalsetrue 13241300x80000000000000001550473Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001550472Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001550471Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001550470Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\FlagsDWORD (0x00000002) 13241300x80000000000000001550469Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\TtlDWORD (0x000004b0) 13241300x80000000000000001550468Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\SentPriUpdateToIpBinary Data 13241300x80000000000000001550467Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\SentUpdateToIpBinary Data 13241300x80000000000000001550466Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\DnsServersBinary Data 13241300x80000000000000001550465Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\HostAddrsBinary Data 13241300x80000000000000001550464Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\PrimaryDomainNameattackrange.local 13241300x80000000000000001550463Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\AdapterDomainName(Empty) 13241300x80000000000000001550462Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\Hostnamewin-host-296 13241300x80000000000000001550461Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{DC3869B3-F6A5-4F3B-98A0-5D05A20B009C}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001550460Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001550459Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001550458Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001550457Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\LeaseTerminatesTimeDWORD (0x61391f32) 13241300x80000000000000001550456Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\T2DWORD (0x61391d70) 13241300x80000000000000001550455Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\T1DWORD (0x6139182a) 13241300x80000000000000001550454Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\LeaseObtainedTimeDWORD (0x61391122) 13241300x80000000000000001550453Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\LeaseDWORD (0x00000e10) 13241300x80000000000000001550452Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpServer10.0.1.1 13241300x80000000000000001550451Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001550450Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpIPAddress10.0.1.15 13241300x80000000000000001550449Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:38:10.678{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dc3869b3-f6a5-4f3b-98a0-5d05a20b009c}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000001550448Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:10.396{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41175AAFEEDB7FA0A658519ED2227CFF,SHA256=A8EB4372FD7E5EC098E3707978237883BDA34CF47CE14AC7C8A26554EBC276EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005493996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.758{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49743-false10.0.1.12-8000- 354300x80000000000000005493995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:56.654{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal59252- 11241100x80000000000000005493994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:10.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005493993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:10.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B1C5FC24CB061B1263E129EFC510BDA,SHA256=85387560C17E69AE7CE7CF8D9579D9455F61C52BFC1272E554256E41E0080737falsetrue 11241100x80000000000000005493992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:10.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005493991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:10.233{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C91AF81788D8AD765EA62378D0EAEB4,SHA256=71732EE45668E3BE835B3D81C8ED0454F149874586082FC9BAF0F2A22EA01A49falsetrue 23542300x80000000000000001550447Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:10.146{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE51E8DBB9502445A7AB34AED462E94D,SHA256=4D5E5DC1C4FB54A5DCDABF06FF4367A0178614EAA4E20BDA09DFD3811901C760,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:11.958{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:11.958{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98AEE6FA56B871CB1F3BF8AF7B8D49F4,SHA256=60C617C8D697A1FB6B268BFD70C294442261BC0A02447C0EBC6EB21FF96407C7falsetrue 23542300x80000000000000001550476Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:11.517{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00461B2A2FE1F82DD21B60951F58D509,SHA256=0E2905BD3EA2ABCE8730EC497EDEE886C6F26A8F4EC5B965356CB5F68B88F4F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:11.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:11.692{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBD2D7B6CFE8098B4BF519A3F3A6CBA5,SHA256=BA2A9C6752332BBE1C35CA38EB749E5EAEACA015F60A4A86F0137057A9AA4BE4falsetrue 12241200x80000000000000005494000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:11.239{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005493999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:11.239{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x80000000000000001550475Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:03.748{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c870:e405:589:ffff-59252-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.us-west-2.compute.internal53domain 23542300x80000000000000001550474Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:11.147{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BA2193615D1BC21B133C97CEDDD07DD,SHA256=091D7BE9A6874E5CFD4A9FC6780C8CAD166BC733163C0837AC5F06F7A147C667,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:12.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:12.989{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCE57F8CA493CC3E9F468846F2A9D1D,SHA256=DE06E79D8F377175C7AF5C5AACDB7E1D1758824FA271F6D37680909C4380FDB2falsetrue 23542300x80000000000000001550481Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:12.520{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EF960EAFFA8E3BFFAFC23DD08ED9D9,SHA256=7A55093232C08EFD0E997E0461D4A0FB12BA29BD6A67E3F3180B09AC61606715,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005494008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:58.748{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49744-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005494007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:58.748{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49744-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005494006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:58.197{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal54511- 354300x80000000000000005494005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:37:58.196{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-291.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58894- 354300x80000000000000001550480Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:05.289{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c870:e405:589:ffff-57030-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001550479Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:05.289{AEE49BD1-415A-6132-1400-00000000F101}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:106b:c688:c3eb:2063win-host-296.attackrange.local57030-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001550478Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:05.282{AEE49BD1-415A-6132-1100-00000000F101}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-296.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 354300x80000000000000001550477Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:04.750{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61687-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001550483Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:13.953{AEE49BD1-4159-6132-0B00-00000000F101}628920C:\Windows\system32\lsass.exe{AEE49BD1-4151-6132-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001550482Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:13.538{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA056E86794513EE150EFA12A6ED5144,SHA256=B6E8A34A9357B0B79784D3515D011D9CF4D280E3489B796EEE38423BD39BE8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550485Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:14.724{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550484Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:14.555{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B337AF5B4494E97850CC925D9573075,SHA256=EC716515507C7B9F869DCCF01C6C90CAAD627DCF709C3F8530C470153BC7C34A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:14.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:14.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=433026A0D273DC9717305D93A4BFEC42,SHA256=F99D1A053FD3166F5DA1DD5A40683FC25879773E68D9D0C20020BF7FCA1373E1falsetrue 11241100x80000000000000005494014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:14.598{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:14.598{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1C0F155E053645B9BAB0489D5B45DB95,SHA256=AA59204F537E2521077090DA336A61706400B3266B6DED48207629A17CE622AEfalsetrue 11241100x80000000000000005494012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:14.020{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:14.020{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363A433158BC4D4B69DB6C960D1D2961,SHA256=69A12540B8BD544E4B07CBF48464D0F5C3E0585D92A4382A70A8291727472A5Efalsetrue 23542300x80000000000000001550487Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:15.556{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1822862A1BCEB6DC2D9722A3C269A363,SHA256=77A134E3AB052C5101D5277C9BF90B7355438BF2EE677519A10C08505AFC2C2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005494021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:01.465{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal61688-false10.0.1.14win-dc-291.attackrange.local445microsoft-ds 11241100x80000000000000005494020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:15.395{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:15.395{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=559DDA6C7AE829013FB7A89267D59EB8,SHA256=667448FDDA5B99449B37CA2EE3DFF2A5039BBED285988E93C3C0A275A7C4E43Cfalsetrue 11241100x80000000000000005494018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:15.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:15.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2BDE3B736C41418DA9BDA222CDE9BE,SHA256=A5D639C873E83988766F4B59E49A10FAE34231E30911D0BD9E197A30D3DDB178falsetrue 23542300x80000000000000001550486Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:15.187{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C946B09DF24D346872AB2824987B46C7,SHA256=68065812FE615B710BDDE4C2603E37064F85761137D25413B0B75994B1D876AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550498Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:16.812{AEE49BD1-1128-6139-90D0-00000000F101}33405772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550497Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:16.690{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1128-6139-90D0-00000000F101}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550496Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:16.690{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550495Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:16.690{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550494Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:16.690{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550493Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:16.690{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550492Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:16.690{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1128-6139-90D0-00000000F101}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550491Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:16.690{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1128-6139-90D0-00000000F101}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550490Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:16.675{AEE49BD1-1128-6139-90D0-00000000F101}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550489Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:16.559{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA655D2C0CDAB932163E40A142D2302,SHA256=04EB4478360FCAC6BA64157915397902E8D25A4E149ABAF1EA4378E78E553C32,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:16.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:16.239{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B55C9759A5AEDD403BCA70D7E036E29A,SHA256=5D10FF9884DA43417069AD388E55AC82332C0BF13166AA77A4F3F06BCF64F310falsetrue 11241100x80000000000000005494023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:16.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:16.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE358D903E4C6A505DFC747C482C179,SHA256=0C7ED959B941DEEE2CDCA8D8F7AD682B411BB5DB8846DF630E270C0764B3C638falsetrue 354300x80000000000000001550488Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:08.559{AEE49BD1-4151-6132-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61688-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 11241100x80000000000000005494028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:17.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:17.270{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D342D737AEDDBC0AE89FDA8E39E2DCF,SHA256=24CE013F71E00BF0A5FDF2A9BF767BA784A8C2BF5FF24333CC9D0633C5EDFA2Dfalsetrue 10341000x80000000000000001550517Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.912{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1129-6139-92D0-00000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550516Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.912{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550515Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.912{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550514Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.912{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550513Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.912{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550512Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.912{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1129-6139-92D0-00000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550511Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.912{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1129-6139-92D0-00000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550510Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.907{AEE49BD1-1129-6139-92D0-00000000F101}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550509Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.658{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077AE564F1F6B607CFEBFF37E38DFBEE,SHA256=F464C45C8542BE540C1C07DF4D090496E7B8AB870976A676DFF44BC7359EBDB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550508Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:09.328{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61689-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x80000000000000001550507Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.289{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1129-6139-91D0-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550506Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.289{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550505Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.289{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550504Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.289{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550503Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.289{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550502Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.289{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1129-6139-91D0-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550501Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.289{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1129-6139-91D0-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550500Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.275{AEE49BD1-1129-6139-91D0-00000000F101}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550499Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:17.109{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=237AA50C4981313C7524E1E9A9F3576B,SHA256=CC65FC231C5909F3F62BB8CECE3389E7517EBBE52E686E73412E5632B6F61393,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005494026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:02.716{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49745-false10.0.1.12-8000- 23542300x80000000000000001550520Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:18.660{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FF027A4AD666247BB7527E69B0865B,SHA256=A61A7C32D875D25E1BCBCF82403E19FD57915AF6D1E14BF8EE43B0749F600F86,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:18.411{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:18.411{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D14B65C36E7B32933DE3C68AED3E408,SHA256=E0568CE6F8A19D406481938B976855E2FCEE8D90B55F517EAB8D0684D7AE6953falsetrue 354300x80000000000000001550519Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:10.712{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61690-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550518Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:18.308{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A7D12CF7F350F89CD68076F01008765,SHA256=CFE61D78F27A66626E659CDFBBCCB36B142E3C43988A43EA025D4BAE21C158DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=172164D29D216B31FDA155398FC87900,SHA256=B408D403E46DE5B6DA762872AC695EB49C68564047E5A9C731E970D5A04FD910falsetrue 534500x80000000000000005494092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.552{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005494091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.552{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005494090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.552{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005494089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.552{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005494088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.489{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA51139F9657BBDA2651F38431B49681,SHA256=5C8CDAF321716F45DE1210336131BDEE22462035EA51A9DE64D763BBABB1589Ffalsetrue 23542300x80000000000000001550521Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:19.693{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACC72EC94C085EAA6C2CC896C921A2B,SHA256=0E95663DAD4E1B97F2A16B501975CC77223EDEED841BF2C535FC9C62561D0B45,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005494086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005494085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005494084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005494083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005494082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005494081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005494080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005494079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005494078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005494077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005494076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005494075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005494074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005494073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005494072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005494071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005494070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005494069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005494068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005494067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005494066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005494065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005494064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005494063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005494062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005494059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005494054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005494053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005494051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005494049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005494048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005494047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.427{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005494044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.411{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.411{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005494042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.411{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.411{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.411{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005494039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.411{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.411{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005494037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:19.396{4DF467A6-112B-6139-97D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:19.395{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:19.395{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:19.395{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:19.395{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:19.395{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:19.395{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005494213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.912{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005494212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.912{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005494211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.912{4DF467A6-112C-6139-99D6-00000000F001}58927348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.912{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005494209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.912{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005494208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1259F3F683A99F2081381FED4F2EFA,SHA256=C88E8C09C7339E6250A24C5542B13849D58DA666850C4BF97A3FB7DF7BEF3730falsetrue 734700x80000000000000005494206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005494205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005494204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005494203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005494202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005494201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005494200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005494199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005494198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005494197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005494196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005494195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005494194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005494193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005494192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005494191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005494190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005494189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005494188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005494187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005494186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005494185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005494184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005494183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005494182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005494181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005494180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005494169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005494168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005494166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005494163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.787{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.771{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005494161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.772{4DF467A6-112C-6139-99D6-00000000F001}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:20.771{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:20.771{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:20.771{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:20.771{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:20.771{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:20.771{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005494154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=566F82D50252FB7BD34090DA96410107,SHA256=3D4549C7EDBFFCCFA9D7AF3F11E990C2B9B0EDCE53BEAED9BFE1F7533E088865falsetrue 11241100x80000000000000005494152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.411{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.411{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BD2955A176D661BAE9A1858567889A1,SHA256=642A594EDC9EB8D99056E7676F7FE0FF3ED384E92B395FBB1083907C9FE28871falsetrue 534500x80000000000000005494150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.223{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.223{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005494148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.223{4DF467A6-112C-6139-98D6-00000000F001}78006832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.223{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005494146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.223{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005494145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.114{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005494144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005494143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005494142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005494140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005494138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005494137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005494136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005494135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005494134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005494133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005494132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005494131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005494130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005494129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005494128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005494127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005494126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005494125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005494124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005494123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005494122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005494121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005494120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005494119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005494108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005494106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005494103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.098{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.083{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005494101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.084{4DF467A6-112C-6139-98D6-00000000F001}7800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:20.083{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:20.083{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:20.083{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:20.083{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:20.083{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:20.083{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001550522Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:20.713{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B198D5671F23799FF70390ACEE3F37,SHA256=66DA6ED7D4F66F1A97192ED8503F8A96A1347BEB4A321FCDA8C5DEAAC5F6D64B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.862{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB5DA9B4EF1DB415E23D960F34DB6FF,SHA256=E5C6BC2E058A446D7DC5F081EE887A94E4BD1697FFD687FD2B995263338F7120falsetrue 11241100x80000000000000005494276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.784{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.784{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BCBA817F504535086B8D121225210CA,SHA256=CC60D481CE05EEAED80C37C04D0BEF5CC8691E66D611C3C8004FCAFDB6BD9630falsetrue 534500x80000000000000005494274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.503{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.503{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005494272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.503{4DF467A6-112D-6139-9AD6-00000000F001}81721852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.503{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005494270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.503{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005494269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF791A013DA2974E24A3398401F0EF1,SHA256=F32309B83015C85E18A17898858148319B6297E43A43A4C9D998D76538123F5Cfalsetrue 734700x80000000000000005494267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.393{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005494266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005494265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005494264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005494262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005494260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005494259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005494258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005494257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005494256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005494255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005494254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005494253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005494252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005494251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005494250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005494249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005494248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005494247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005494246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005494245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005494244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005494243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005494242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005494241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005494230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005494228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005494225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.378{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.362{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550523Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:21.715{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6D0CF982A2817D26A29795F49D6981,SHA256=322AF010B8054C2E21D46164453C05477BBF90CB2E448B976FC3D5E9917AD530,IMPHASH=00000000000000000000000000000000falsetrue 154100x80000000000000005494223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.363{4DF467A6-112D-6139-9AD6-00000000F001}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:21.362{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:21.362{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:21.362{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:21.362{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:21.362{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:21.362{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000005494216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.195{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7263MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005494215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.194{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-72632021-09-08 19:38:21.194 11241100x80000000000000005494214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:21.193{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-72642021-09-08 19:38:21.193 11241100x80000000000000005494393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.972{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.972{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949D32EB326802182B3DC81CFB8B14FA,SHA256=BC723A8F3A4E0831189F466477887C3BB85DCBDEC043EED4F409F9D0AECE27FDfalsetrue 534500x80000000000000005494391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.894{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005494390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.894{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005494389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.894{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005494388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.894{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001550525Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:22.718{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7650BC8675126E8511D01328393EA583,SHA256=102591B3D099D33BAB59DBF503FF30206C5C76750F8FB1B0E20B8A467057A1D5,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005494387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.784{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005494386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005494385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005494384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005494383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005494382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005494381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005494380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005494379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005494378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005494377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005494376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005494375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005494374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005494373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005494372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005494371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005494370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005494369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005494368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005494367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005494366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005494365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005494364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005494363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005494362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005494361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005494350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005494349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 10341000x80000000000000005494348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005494344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.769{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.753{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005494342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.754{4DF467A6-112E-6139-9CD6-00000000F001}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:22.753{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:22.753{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:22.753{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:22.753{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:22.753{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:22.753{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000005494335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.206{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7264MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 534500x80000000000000005494334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.190{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005494333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.190{4DF467A6-112E-6139-9BD6-00000000F001}27366476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.190{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005494331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.190{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005494330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.081{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005494329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.081{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005494328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.081{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005494327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005494326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005494325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005494324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005494323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005494322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005494321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005494320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005494319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005494318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005494317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005494316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005494315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005494314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005494313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005494306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005494304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005494303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005494302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005494300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005494297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005494296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005494295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005494294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005494293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005494292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005494290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005494287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.065{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.050{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005494285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:22.050{4DF467A6-112E-6139-9BD6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:22.050{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:22.050{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:22.050{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:22.050{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:22.050{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:22.050{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001550524Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:22.219{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F28608053FF81ED3BE1D74CFDEFA307,SHA256=80FC73D425E86EF0C045CA97614D2490CCFD7D1EDD931C13F3EBB81AC182A78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550527Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:23.722{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59336786B7BD31ACCA603A319870D79D,SHA256=CA47E911D578A5B378B8A6BF675794CFB8A890C58C7814C946DD147C333B39F7,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005494454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.581{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005494453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.581{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005494452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.581{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005494451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.581{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005494450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.472{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005494449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.472{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005494448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005494447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005494446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005494445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005494444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005494443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005494442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005494441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005494440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005494439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005494438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005494437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005494436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005494435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005494434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005494433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005494432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005494431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005494430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005494427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005494424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005494420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005494416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005494415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005494414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005494413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005494412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005494410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005494407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.456{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005494405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.441{4DF467A6-112F-6139-9DD6-00000000F001}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:23.441{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:23.441{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:23.441{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:23.441{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:23.441{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:38:23.441{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005494398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB81854509788CA6D1254B322B0BA403,SHA256=0BC6410C61DB6C39BB582E9486A554C9ABC6B0214DE99434D7698B28DA2D63B5falsetrue 11241100x80000000000000005494396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:23.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457A4FEFFF74555D6F822B1D3065D820,SHA256=57382C3E0093C734434288776C6948482BDD0C2ED751D18127258E0E6157420Bfalsetrue 354300x80000000000000005494394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:08.592{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49746-false10.0.1.12-8000- 354300x80000000000000001550526Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:15.820{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61691-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005494460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:24.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:24.675{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8CC139542D9E2B63DBF6ACAB115E462B,SHA256=9122B7CD9B2E018FA8D89F6459975AA33F8198500B190F9E74D6C65743A04758falsetrue 11241100x80000000000000005494458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:24.472{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:24.472{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B57EA0C33ED5F4BF86F20867339EB71,SHA256=0C6EDED61A0EA62FA1F36772E44DC7183920EE8240C004D581098EC0E4CC9285falsetrue 11241100x80000000000000005494456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:24.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:24.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D994C167C2107CFBE0304FA5773343,SHA256=342A393F977A1813AD6FCE93112D3736685AFE7EE86F28D29CB8A4EF6AF71550falsetrue 23542300x80000000000000001550528Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:24.724{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3B009D8DB6C72263D2D37763DAB7D0,SHA256=7EB73CB23F16B0CE48350C4146461765C894965D991949F07D4A3A6DAEAD6C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550529Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:25.730{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29101425D57ECC8A9A4D535B7662A96,SHA256=7511A6157D386C2C0C089CB468A0C8703E443E64000F4DBAFE92878920F92CCA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:25.831{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:25.831{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA4AE98D22A306D4CAA285416ED4A729,SHA256=C790B7A7A68A8B5686CE91AAB79072FA6B1D6CE24653A9A7BF3CAE916DEA1BA6falsetrue 11241100x80000000000000005494464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:25.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:25.534{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BF89B44EE0827B0741313E002FDAC26,SHA256=6DCF897F8F10FC3E8BE35AFAA3E174D2E3CC34A264DBA472C9B41EE40477069Bfalsetrue 11241100x80000000000000005494462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:25.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:25.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA38636C6642CA52927170127714F1F,SHA256=C28517DD6D6575C456EBF307F364CB123631BAA42C8C1741DB878AED21E3F418falsetrue 23542300x80000000000000001550530Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:26.749{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C79A3EB082C1C8269135B4C3129CAA8,SHA256=DBB7598E0DF9F4626410116674B4EB64B75CD12F60EDD2457D4182504D41E0C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:26.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:26.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07D8D98FB21D8634D6DB822944F3C14,SHA256=442F74493BAF7C8573C48D6FB94FC8B6439243DCBEF97C07007BA2D6DAD1A9C6falsetrue 23542300x80000000000000001550531Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:27.752{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31906F3466B887B2A4D7630121BF944,SHA256=847EE971BDF2F6373F870A38792928964E267D2859BD7AB9F539A8EFAF595E62,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:27.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:27.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59194AB9504C65A746D3E811A0644F94,SHA256=0B6BB7A3A0653A62C7B14376C07F1337923E7ED7665C4676FC6B6BF188ECAF7Ffalsetrue 23542300x80000000000000001550535Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:28.754{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A6CF00A09B542B2F8729E109E96677,SHA256=29C85B118539CAF0866C1D1A7EB4B8ABAA45221A04E5D7B214F6681CAA9920D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:28.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:28.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE42310BC453A0202CB1BBB909C7B14,SHA256=A392BF62F446688906E1B0619BF52015CD59BDAC6EFE565915F531DCE7A47E07falsetrue 354300x80000000000000001550534Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:21.685{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61692-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550533Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:28.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=675D6BFED217754093316A6407DC1175,SHA256=B94F4B5DF7BA34BFE7C7F85DAC96DC24F4B7EDC72AD9EF09AC5B1614A5F830C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550532Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:28.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=663CFBC9528D4C9F71F46CAC9F3A6BA6,SHA256=D25689F8560E9F507486039B7014B09D4A957A10FE17F4301B28E010BDC93BE5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:28.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:28.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68569810B15BFEF8CC670F2B82E74817,SHA256=DB971C9921C5C587A6F95B826049F308DE7517E4C88D41A543281A69FB17DFFDfalsetrue 23542300x80000000000000001550536Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:29.771{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADBE45AE36541E286EEB24E151C1728,SHA256=06A8DC4DB5611B69E318836C0F177F7CCF26C64277505AE75C29DA76B8672552,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:29.784{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:29.784{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=697E7619B7A2533ED9D4047DE7157C1F,SHA256=87A24D37E179BAFEBC51EBFE145DFC82206B884FDD322D701C696A4F26B51F25falsetrue 11241100x80000000000000005494477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:29.488{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:29.488{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E41102F9826368AEED54226028B8C198,SHA256=DE24987EFDBA483E24429B33ACFC04AE293C81385F2A481DB4B592313EFB575Cfalsetrue 354300x80000000000000005494475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:14.606{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49747-false10.0.1.12-8000- 23542300x80000000000000001550537Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:30.773{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2DCCA4CD04BEECD1F92EC199A6862C,SHA256=B8D99B7012EBFF33E93FF692D88BD7E540F922E055529BEE5994D649F6E2BFC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:30.944{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005494484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:30.944{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=272BCBD2F88B68C1080CA8D1631A9155,SHA256=98349944F386B39EC365E25223514AE4E65497A3789855CDCB7757668ED0A382falsetrue 11241100x80000000000000005494483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:30.597{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:30.597{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F8D6BFE0DC0F06B70FEAF79B2F31D94A,SHA256=F1C46364D5918D29FE89083B578D610AEFD7AEA90019B81E2992149038E89DF7falsetrue 11241100x80000000000000005494481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:30.519{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:30.519{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F451FFB574C92E47FC8F23F68F45DBD2,SHA256=8B651504C63F3AE0C26C8DF6E3877685EE2DD7824183131BEDB5D4FE76D2BCF9falsetrue 11241100x80000000000000005494489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:31.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:31.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D971382139220186E8E9293E04225553,SHA256=8C8FCDE56A3A5F00ED312DA9C8870C469D7DCC95E8F2BD8D51E5516B1EB49D53falsetrue 11241100x80000000000000005494487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:31.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:31.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ABECE19100A5CE3A1E086E8A1A24EEA,SHA256=30EA916D621754763B862C60AA695E5B297FAC15C798A4BB548A4FD930A077DFfalsetrue 10341000x80000000000000001550547Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:31.822{AEE49BD1-1137-6139-93D0-00000000F101}4652416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550546Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:31.775{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22ABADAA8A64B16128BDFA5F46F740F9,SHA256=8438968A0B93C64F5805D784A15BEA91F000DB3019461D1D47793B529943920E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550545Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:31.691{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1137-6139-93D0-00000000F101}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550544Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:31.691{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550543Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:31.691{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550542Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:31.691{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550541Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:31.691{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550540Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:31.691{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1137-6139-93D0-00000000F101}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550539Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:31.691{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1137-6139-93D0-00000000F101}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550538Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:31.676{AEE49BD1-1137-6139-93D0-00000000F101}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001550566Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.892{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1138-6139-95D0-00000000F101}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550565Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.892{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550564Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.892{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550563Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.892{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550562Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.892{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550561Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.892{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1138-6139-95D0-00000000F101}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550560Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.892{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1138-6139-95D0-00000000F101}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550559Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.877{AEE49BD1-1138-6139-95D0-00000000F101}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550558Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.823{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D764E11400ACEA08ACED48CC22056D,SHA256=70C55F59E39A3EE489A78A76C22942E0D8CF445457B97863E8B116AFC7A85BA9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:32.756{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:32.756{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5D58733E7D7A8B2F38033D1DEB815F,SHA256=C98498C8B0AA079923CC2FE49F9F6CF3CB471944C02C4EE11D071E6242F9B5E6falsetrue 23542300x80000000000000001550557Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.676{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=675D6BFED217754093316A6407DC1175,SHA256=B94F4B5DF7BA34BFE7C7F85DAC96DC24F4B7EDC72AD9EF09AC5B1614A5F830C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550556Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.423{AEE49BD1-1138-6139-94D0-00000000F101}47325936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550555Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.292{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1138-6139-94D0-00000000F101}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550554Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.292{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550553Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.292{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550552Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.292{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550551Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.292{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550550Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.292{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1138-6139-94D0-00000000F101}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550549Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.292{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1138-6139-94D0-00000000F101}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550548Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.277{AEE49BD1-1138-6139-94D0-00000000F101}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550569Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:33.893{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3706529A70A971DE66BAB8DE46FAB24,SHA256=5D321FEDAAC96C5285213A4F8B1DD52F02A8CAEEFC8074F1E1F6B67BA13BC46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550568Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:33.825{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B850205ADDBD5FA4A93AD16D0DA28B6D,SHA256=4F5D0F096D921B3D638BA974EB1584CCEA10C625496B7085BA6EF5E742C1DC33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:33.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:33.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF3F309F75699ACE6CD8AE4BFB2B192,SHA256=9D9857B566FCFBEA9F10F3EB39A5658339B89B5C6FF7C6E05D755BC0C576DE2Afalsetrue 10341000x80000000000000001550567Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:33.007{AEE49BD1-1138-6139-95D0-00000000F101}35725984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550571Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:34.849{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698EC71C7EF9236757A964B41B7D86FA,SHA256=6B5633B51C11B5EBFB2F0AF723A1BE7CC2F2728B8DDDD7711BF81929EEEC1C9F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:34.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:34.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=211068F09A8C0F29DA1BEA2991ACD623,SHA256=50D1C70BBED2D1243F703248C48243C0AA3974A166209C8F4E58B77E1FA140F3falsetrue 11241100x80000000000000005494497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:34.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:34.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0765313B9B86EF7C6C0F548D048DE04,SHA256=0CCCD3A43AD0CA5012DDAC6A9B4FF18BFD1734F8E27F118EB8D5DEA286F04AC0falsetrue 354300x80000000000000001550570Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:27.679{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61693-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005494495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:34.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:34.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1C1E5FD407797378AB98C607439916E,SHA256=76E791874950D6542C7FAC7BADF82253998EDDDB47D838DC3D457A8D41CFE4F7falsetrue 23542300x80000000000000001550572Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:35.867{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8463E5B193C1EE029B156BAACE8343D1,SHA256=1F95EE07C73B12CE0FDF738129E90E55A9105536B691FC2016367048304EA7AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:35.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:35.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61952B43E9AB3F148A1F8B6FA4750B5,SHA256=2566003540D62041CEDB38A0F9121A91B6CBEB7ED5653441F9874908DFF29B8Ffalsetrue 354300x80000000000000005494502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:20.577{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49748-false10.0.1.12-8000- 11241100x80000000000000005494501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:35.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:35.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E80556B39ECE8B343A8A1468BB6545F1,SHA256=CF61466011AC74FC0DF239C49E5C85638D51F5B361571F5C3E5F43B890F70A85falsetrue 11241100x80000000000000005494506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:36.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:36.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C98A1528F604D6B5492F64C87618A7D,SHA256=F137398E51A77BAF9E0639ED04D04D874FB22F7BA54603757CC2B6A0D9993F5Afalsetrue 23542300x80000000000000001550574Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:36.868{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66EB91C2CE9E802AE50B073CA4E13B7,SHA256=4ECF0EA62C2064EE343B020A4D8F03571BEECB2B59F933A2502B3639C7E590E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550573Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:36.347{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7254MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:37.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:37.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7A7A367403B425A24E5B6C57C771B5,SHA256=A567D3236E5A351958BE0716A712C0284FF2610BAFF28D4801673103452F97DEfalsetrue 23542300x80000000000000001550576Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:37.871{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEA4E76FEF19072829B7BD08D277E54,SHA256=ABC8BC31170AB6150DE1B833B4909D1188C82C424832EB62F7827C468BE4350E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550575Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:37.348{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7255MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550577Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:38.873{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EE4956ACF325E456DA226F6E6F5FB3,SHA256=1E17B1EE3B55F22CC38CBA20BE468CCB4CCAD2E7AE6EF13D6FC0518283C70E6D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:38.912{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:38.912{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905F56C50538E2B52FB469E9410951EC,SHA256=3B826BA044F43842683329191CD6AC79BEED38FA7AB3C64EC7DE34F81AD50115falsetrue 23542300x80000000000000001550581Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:39.906{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216B20D8EDCA8701CB824F8342A46B68,SHA256=0F1661ED3FBDE5F65437B3DEF819399D609977361DE38A59D9CE2A395363DEEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550580Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:32.706{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61694-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550579Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:39.154{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D908B9E79BFA73A21B0134EA1300830,SHA256=D7803355F994699154FCD491402DD2A15304048F287DFB9D8E4EDD5F02BAA5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550578Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:39.153{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28B4BCA973392AF24CAD5EB03E88C6DD,SHA256=98E11E957A5CCE0CF5F33E1101FE007958931BAC00C59B7766319469D064B321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550582Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:40.908{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7776E9B0C635A0074A88861141D077,SHA256=B84EB27602012CEB367D18538F77AC651D652E4BC58229A9C749729CAB253375,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:40.772{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:40.772{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2FD2F7F357F1C078D14FB84E01884BD1,SHA256=42A47A0A1B2D4B49DED7A46EFE5E5CFEDFED4183343CED723E1B455F5B59FE0Dfalsetrue 354300x80000000000000005494519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:26.561{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49749-false10.0.1.12-8000- 11241100x80000000000000005494518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:40.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:40.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12D1CB6A0099162D289A322E435FB6CF,SHA256=7B5B895E9E4535140446C1ED5C01337DFDC6841CF9F4EE15D6FCBC8B6E20085Afalsetrue 11241100x80000000000000005494516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:40.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:40.084{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36F4B1F2D881B738E3C7E110E196C050,SHA256=7607203115EBCA1133329231025AEA9E85C1E4462170DFF08A6752A2B3BE161Dfalsetrue 11241100x80000000000000005494514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:40.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:40.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=30DABC0E2464A0D66029CC009A8A4CC3,SHA256=036CF955E8F94EED288C28B99F4D6840EC4AF98E895BEF816BD9CFBF26F45875falsetrue 11241100x80000000000000005494512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:40.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:40.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C9FDA139BDB310F049FA7935E62483,SHA256=DDEAB1736A26070955F2283D11055ED4F392D5EF759A64E65946D2F62001B121falsetrue 23542300x80000000000000001550591Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:41.910{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F11BBE404E9B5D3AF240E7C1C71EFE,SHA256=B609222FDACB704418EB154C9BB03519633DA04D89F2ECE1F3C2025651C5D0DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:41.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:41.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50668E92E173E04A925B446D9496F369,SHA256=A3BB0996A65A32A7ABE0924A8FA4C11F1205A1840ED25816F45D04919C44A824falsetrue 10341000x80000000000000001550590Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:41.494{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1141-6139-96D0-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550589Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:41.494{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550588Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:41.494{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550587Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:41.494{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550586Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:41.494{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550585Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:41.494{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-1141-6139-96D0-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550584Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:41.494{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1141-6139-96D0-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550583Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:41.479{AEE49BD1-1141-6139-96D0-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005494525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:42.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:42.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3922C5AD55535F5D246AA26F3482321F,SHA256=BE97980466229837E62234CA73B2A7A758249AAD6C79ACE1C3C386E33A1738C3falsetrue 23542300x80000000000000001550592Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:42.712{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D908B9E79BFA73A21B0134EA1300830,SHA256=D7803355F994699154FCD491402DD2A15304048F287DFB9D8E4EDD5F02BAA5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550593Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:43.081{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D38532B7719222C8888B37417E00E77,SHA256=88FBD38C20DCEA7ABD2EFC1DCF045AD0E4E13EE12FD78C2E7D908CE09E2EB100,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005494541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000005494540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000005494539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005494538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005494537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000005494536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000005494535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000005494534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000005494533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000005494532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000005494531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000005494530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005494529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005494528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:43.944{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000005494527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:43.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:43.053{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262D4D1EDE9E1FED6E3A79CAAC6AC6A0,SHA256=7BC61CCB44F2835C41C02E1C3AB72B63D9D63D623774A6EF36E0108FCCAD895Afalsetrue 354300x80000000000000001550596Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:37.784{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61695-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550595Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:44.182{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22BE52FBF302629EA66E6B78C2A4E763,SHA256=4BD6C54136A846358A1951A442A96D450569C2C143A823DA8259324FD1CCCE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550594Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:44.113{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7CB436379802DD93704FAB00D427E2,SHA256=E20731DECA8AFC5A85DAD4B64C99687866E83AD0EAD6F2BCC7B60F6D1301CA71,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:44.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:44.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FE02DF7F4BC0F6069B10F78CC2E0DF,SHA256=38DE8B064A7005081DA2767F49C93CF014013745E4650858FA610B7C0362AA02falsetrue 23542300x80000000000000001550597Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:45.115{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F347309222D7F2F8EDEA59C30E7CDAD,SHA256=AD3868D65510C80C4CBC490D75804F4235DBF1C5D9B863DA76F2DB484188DB35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:45.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:45.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A31A10DCE041350CAF6BF504C7648234,SHA256=703759BEF51940BE2AF254B0B0AFB0BB8A0427DA5EEF97B24D0127986A787B53falsetrue 11241100x80000000000000005494547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:45.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:45.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=89C82816B79E087CC98EEEEB7E8AF9E8,SHA256=8C8FD130BDF19E787EA6C3655410D7BD484E06F848D3DA68A6A3C199A3AA4DF7falsetrue 11241100x80000000000000005494545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:45.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:45.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D72A3D056FDB2BD4A524E0CA078635,SHA256=DD45E1E03D8ACAEE9AE85C74972281AFCF01FC30324A1009B1211F6C0E5592E1falsetrue 23542300x80000000000000001550598Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:46.117{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2855BB81F7DF28309FE33019E919AB53,SHA256=7D8CC3B0FA159DF747979BF09CF07DED6F390A76E9032FA5869CC31C83C465FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:46.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:46.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38BBC59B2F4F2AC3498DDF28DDF094B,SHA256=2677B155A8A890B18A65801669C0526ACB01F9F15341DFFC7AAA4D5E7EDA7CEAfalsetrue 11241100x80000000000000005494553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:46.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:46.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A45DADF2096418F31FC5F947A2FE1ED,SHA256=8477FD44824B15969C788D377F8E5D8523B40186AF3C43843D4A1F469FDAE498falsetrue 11241100x80000000000000005494551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:46.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:46.162{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12D1CB6A0099162D289A322E435FB6CF,SHA256=7B5B895E9E4535140446C1ED5C01337DFDC6841CF9F4EE15D6FCBC8B6E20085Afalsetrue 11241100x80000000000000005494558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:47.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:47.334{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECBD7A454E83F6271F2AB5C87679A1F,SHA256=CEC0CB8059F3E7F21D50D744BEA0343ED2AD513C8ED146E5C0FE2E741EF4DED7falsetrue 23542300x80000000000000001550599Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:47.120{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21EB0ADD3E9112B80FF13E970DA0E809,SHA256=C98F02FA82673A53AC5733A4595CC0A69F50C4F395B8E4224853D81FE1D48636,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005494556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:32.561{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49750-false10.0.1.12-8000- 11241100x80000000000000005494560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:48.350{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:48.350{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FF4A8114A5627F6171980E03E4A705,SHA256=6172B6FFC5B971D2F6BC7E3D2E4AA5E4298004B1CBF579D5EA23284FA3EC7E0Bfalsetrue 23542300x80000000000000001550600Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:48.122{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E35BF29C8447A49CF2B4F3FD89553D,SHA256=730219EFF1B23BDE116374663D8EAB6E0F69A4D4C05BE31C2EEF609FF2927E79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:49.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:49.381{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC28731DD1FF2CC54D3ABED6FB476637,SHA256=2E7F76B8BC9D10A8CBA1EEBBD26CD07BF2D53F8DB7968E7ED437E72DAF539345falsetrue 23542300x80000000000000001550601Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:49.125{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB6130CF46D0BEDDC31A31372A9A371,SHA256=96F6E4C8E00351F95A18EB8AA44C235B53573308E26F29A78FDD56ACB0CDFAC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:49.334{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005494561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:49.334{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005494572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:50.835{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:50.835{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=19E24226BB85B5AABADE60155CEA8EF9,SHA256=A425EB035538268E50659E24A4C664B3693824EA0A4248D6C3AD6A4F97563970falsetrue 11241100x80000000000000005494570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:50.397{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:50.397{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8860BACA8CFBEAAB4C23A7EDEC5DBA83,SHA256=2E38652C4484F95E4DAE2F5703C5899813A8377D42C6300CECED3361C1E305E3falsetrue 11241100x80000000000000005494568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:50.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:50.365{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A45DADF2096418F31FC5F947A2FE1ED,SHA256=8477FD44824B15969C788D377F8E5D8523B40186AF3C43843D4A1F469FDAE498falsetrue 11241100x80000000000000005494566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:50.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:50.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D702E11D522E56A039C6EF5C3713AD19,SHA256=02DD4EA6A09D0277E60BED7399D8E7FF2AE43C11D539117BC037F4F17144D308falsetrue 354300x80000000000000001550605Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:43.660{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61696-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550604Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:50.126{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638EEF47417873D7B84E35AE71FDD7A4,SHA256=BE3CF5AB8A765C921118B6E8843201BE75C9692E9C1B9A27D8620A334CF8CFCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550603Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:50.079{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5062A78E1C82E83739F174A22DEF60,SHA256=CD41DEF251F8EBEA9CED7A81FF5247F6F8BC2EFC52C60CFE4E4433211ADAA15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550602Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:50.078{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A92503CD6A4562AEF41307BEB3066AA8,SHA256=93737507657EE43CF82EE6E305DB37176291B3BC1C9406D0DEE5DF27387C15AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:51.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:51.741{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B37B1E4967A2542985742B638AA835C,SHA256=51E7E6632C5CABA64D0329F96D175A66060182703CF617FC5681F1F1B884D6D0falsetrue 13241300x80000000000000005494614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x80000000000000005494613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x80000000000000005494612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x80000000000000005494611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x80000000000000005494610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7a4e9) 13241300x80000000000000005494609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x26c0eea9) 13241300x80000000000000005494608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7a4e9) 13241300x80000000000000005494607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x26b03ed7) 12241200x80000000000000005494606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x80000000000000005494605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x80000000000000005494604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x80000000000000005494603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x80000000000000005494602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x80000000000000005494601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x80000000000000005494600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x80000000000000005494599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-291 12241200x80000000000000005494598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000005494597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000005494596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x80000000000000005494595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-291$ 12241200x80000000000000005494594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000005494593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000005494592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x80000000000000005494591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:51.523{4DF467A6-3F46-6132-0B00-00000000F001}6367488C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 12241200x80000000000000005494590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000005494589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x80000000000000005494588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.523{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000005494587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.413{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005494586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:38:51.413{4DF467A6-3F48-6132-1600-00000000F001}1248\lsassC:\Windows\system32\svchost.exe 12241200x80000000000000005494585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.413{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005494584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.413{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000005494583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.413{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-west-2.compute.internal 13241300x80000000000000005494582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:38:51.413{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-291.attackrange.local 12241200x80000000000000005494581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.413{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000005494580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.413{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x80000000000000005494579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.413{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005494578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.413{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005494577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.413{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x80000000000000005494576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:38:51.413{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 11241100x80000000000000005494575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:51.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:51.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB3D0C7181AB170A509D6AC3B2B5738,SHA256=A2BD48819D2B2EEBE6BB87A1F808A6ACC78D4E1120BEB120EE1AA6E40D71E5C7falsetrue 354300x80000000000000005494573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:36.842{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49751-false10.0.1.12-8089- 23542300x80000000000000001550606Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:51.144{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A61F8E511E544284F9A17D0292E4B5,SHA256=92166DDEC944593710D42BC186E9026522A55A3ACDB07C25E2AE3F3B46022CA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005494623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:38.923{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49754-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000005494622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:38.923{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49754-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000005494621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:38.922{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49753-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005494620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:38.922{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49753-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 11241100x80000000000000005494619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:52.460{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:52.460{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A2B48DA2F9CC83782F5843B74CCEC1,SHA256=86AD1BB47757F017038A9B6B2F55B84A731776A76AC2D1794C18E9D0043E5504falsetrue 354300x80000000000000005494617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:37.576{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49752-false10.0.1.12-8000- 23542300x80000000000000001550607Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:52.180{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEAD409E576908F8BF504BBCFEC08691,SHA256=D16604309D105DF73C81975C315D65301BD59982DB2FDD64AC1CF687099764EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:53.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:53.492{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3EF04071D8BA34F3846607604008F6,SHA256=155868C8C9EE6A0CD88CE12D7E1375358E09B7653068774FECC3D04612952B17falsetrue 23542300x80000000000000001550608Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:53.187{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46EC3837CC6503DF49B8E551B72671A,SHA256=C4BC8FD1F3AA067BF2F6464A46A90E70C941D616D14047DCC50FDD4B5F86915E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005494633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:39.036{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49759-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005494632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:39.036{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49759-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005494631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:39.033{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49758-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000005494630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:39.033{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49758-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000005494629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:39.033{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49757-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005494628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:39.033{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49757-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005494627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:38.929{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-291.attackrange.local49756-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000005494626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:38.929{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49756-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000005494625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:38.924{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49755-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005494624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:38.924{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49755-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 11241100x80000000000000005494637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:54.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:54.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D54FD9484209E2B94F905EB625B9335,SHA256=BCADB2E07EB85E152F9AD3058DFFCB2CD7608A03215D954A31AAF4FD9436ED93falsetrue 23542300x80000000000000001550609Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:54.220{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0124B80EA10ED031426079784DA07439,SHA256=A73B659070525C31B92028AA3348AE5DBE3C91EDDDA63464ACFDB9EB57DC1544,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:55.898{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:55.898{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4EDFEC97C95AC6EE2A3278EBF25CEC94,SHA256=EF4EC38E83B935355107B9C730562B4CF15C0C560343E27303E0BADA780E52B4falsetrue 11241100x80000000000000005494641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:55.538{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:55.538{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74330D3AAC55682A722E9058C0D3F3E0,SHA256=D3F037D93D86B8B49C394B3E011C405BE6FC435D9CBA61B34C5829569AFC7CE5falsetrue 354300x80000000000000001550613Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:48.771{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61697-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550612Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:55.254{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A59741BD2843020989D3F52190EDFE,SHA256=0623F27EFAC7765D62200ACD0834AC71D31C36BD4175E17526A82C6CBDC06DC5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:55.117{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:55.117{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=00B8FA67376C29C5ED2950151E101193,SHA256=7467F8CFC6ED5B0D892B631AA46C3205B503A3294FD376CC9C8036743FF7325Dfalsetrue 23542300x80000000000000001550611Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:55.170{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68E93B28487596FC48162A6ABCB30CCE,SHA256=933E1395A503075F1890595E08EF80630C3B2C7B4484EE6D73334D12502F27FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550610Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:55.170{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5062A78E1C82E83739F174A22DEF60,SHA256=CD41DEF251F8EBEA9CED7A81FF5247F6F8BC2EFC52C60CFE4E4433211ADAA15F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:56.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:56.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B78018ABB8612EC866F806651AB8B18,SHA256=1635254954FBCDEE12337E93BDCD85800550FD4DDF4C35DE30264418307AB8D5falsetrue 23542300x80000000000000001550614Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:56.256{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FF6985910946E20E868A11C213169C,SHA256=57DCFC807333281D5157FAA927C853853F2EF0ADFF0ACA43261BD42CEB91B74E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:56.101{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:56.101{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6783F2A7D031376B2818F736F982149E,SHA256=4DB47E8C4B176A4E527C1B7DF65DC9C99D76DF6C5720EAE72154FD47B2E48201falsetrue 11241100x80000000000000005494650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:57.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:57.570{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75489AB100F0EB748659BB4841E3A906,SHA256=91BF85BB395DF699BFD5EEEB8CFB4AF3A751A55301CDDBE0B7A61E6877E56470falsetrue 23542300x80000000000000001550615Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:57.258{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7B6738AEC9F04C7F1318452B90299E,SHA256=D10B7DCA7088EF0AD57BB1A8420690890F6E9EA011F9E4D919600D7CA3871D5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005494648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:42.595{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49760-false10.0.1.12-8000- 11241100x80000000000000005494652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:58.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:58.585{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3AA30C362BED7F0590F05D8356424C3,SHA256=1CCE7873EB6AC45000E7D55B38BA3401F9FB77211673E685E69BE4E33431669Bfalsetrue 23542300x80000000000000001550616Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:58.261{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5F1C7512FD8E42BD59168E6B05FCEB,SHA256=D8E30828A9C3D467EA2A1A8D0A10EDE384263DF689159234DEC46243C1DFEF9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:59.601{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:59.601{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6070BA34B8B813026383E8B6B69F30A7,SHA256=0512EB49CDCFA0CABDFAA1A87EF6DADABA7D9A05407BEFA4E1B3C3F3A2EF19ABfalsetrue 23542300x80000000000000001550617Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:59.279{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3F1193A7046B69A2A15113E337420F,SHA256=9DC5FA1122A5796221A53538AF7B90F769405550141216F387EFEECEA513B776,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:00.960{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:00.960{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9958A685144A2A00C114810BB51AA20D,SHA256=B18D72C44279B72758CFDA12141EC25DEFF55F9B254B0436AA0A47479A8CC9DAfalsetrue 11241100x80000000000000005494658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:00.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:00.617{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481BB72E01C2D48C102F8AF5CBC48CCF,SHA256=8D9A906D18727FDA8657B477CA285F45B982BCCE62A23E37E65322804673EABDfalsetrue 23542300x80000000000000001550620Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:00.334{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1BFAC7B453F0646A63005BF58CEDDCC,SHA256=67D75397A657232019081D7B2553D608F0736BAE7752D3FDFE6AD8939C24AE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550619Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:00.334{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68E93B28487596FC48162A6ABCB30CCE,SHA256=933E1395A503075F1890595E08EF80630C3B2C7B4484EE6D73334D12502F27FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550618Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:00.281{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D016F6100C82A91EA7BAB1E4EF625D0E,SHA256=5E7886BC9C6034E4ADFD9A62D5375A36FCCB82EBDEC18E69008E14D0AE64268F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:00.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:00.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=38D1D155B9D83DADC6E0F690EADF7529,SHA256=CE3B4AB19BD31212E048452C38C2141A54EF110135C4A644713CA0C95A4967F1falsetrue 11241100x80000000000000005494666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:01.632{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:01.632{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46ADC767385B8FFB8BE1A50D02C56094,SHA256=269621EDFC2D02BF2DE999665A023B6B5278F5479E9687849D80ACC31657B2F9falsetrue 23542300x80000000000000001550622Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:01.283{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3ED3D46D42F1E5FB71F97E3B80D47C,SHA256=92519B524DC781A4D6B6DAF7556D4B0FD84FF2A7A90C3F1C7BFF982C4DBF9D56,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:01.320{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:01.320{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E20CE371C882E26AE48991796C0BCE05,SHA256=23F7388187297F5061E453CE51A48C69C0C1E1E91F077CFB207B7110F747210Ffalsetrue 11241100x80000000000000005494662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:01.320{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:01.320{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=488B845FF686293AD679ACF3466C99AC,SHA256=4F91A81942F6B096643F2A2F8BFA89BF7FEC65A24F27E4E89BCDE4E9FAC45584falsetrue 354300x80000000000000001550621Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:53.836{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61698-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550623Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:02.285{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6261818551E6918FB60800262F5797,SHA256=2B990430E0F8E80153C654B766294D5A95B3268F8E79E6C5F59F5EE50C9CC44E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:02.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:02.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E186CF31F04A592774A232E4795AE8,SHA256=5E6F2FA9892C4B211C4504FE3F8681AD3DEAE98068EDF01B132950E6E8A0D675falsetrue 354300x80000000000000005494667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:47.626{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49761-false10.0.1.12-8000- 11241100x80000000000000005494673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:03.663{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:03.663{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07184BCE697A0DA566DFAB5518740E29,SHA256=5949DA064CCF1964DAA411654848D1978548B914FE80835A9D1CA70115635B87falsetrue 23542300x80000000000000001550624Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:03.287{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A2AE65536D3CAADAFCDE390515CEFE,SHA256=C4D493BD499689D6F028511FD5F010D636CBD792CB851DF4AFD92D6ACE0BE03C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:03.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:03.304{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E20CE371C882E26AE48991796C0BCE05,SHA256=23F7388187297F5061E453CE51A48C69C0C1E1E91F077CFB207B7110F747210Ffalsetrue 11241100x80000000000000005494675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:04.679{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:04.679{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99467D1D8CD5A4EAB8FFF5CB6B9A23D9,SHA256=8424CB863C304CA071DB2FCF28A659004D7FB8C864C9BEA6080670686FD1E75Dfalsetrue 23542300x80000000000000001550625Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:04.290{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F0ED3F9B26A2AE2F7711A30A1D005D,SHA256=657201D5813DFC2AD159A3651317F30FE29719B170224CC2FF24755A5521A03D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:05.695{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:05.695{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6019B2386EB65CAB10F7DE824A5CAD,SHA256=6A4FF05A404BA0E62847B231F3E52E1B4894216D1A2BBEB8266758E60E1476E3falsetrue 23542300x80000000000000001550626Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:05.315{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBCE4136569C22B69DA4C116B48ECB4,SHA256=CC1394DEA3ADC18B7652E9368353558885DC621BC03B145FBDEDBF91B269BFAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:05.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:05.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C343AA866770E35402D8D46759ABA5A5,SHA256=D6CAB8B046B5C64117A6EB27EE346539BDC508D00905DA26D22C331FB6B33D8Bfalsetrue 11241100x80000000000000005494685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:06.710{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:06.710{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78178AFA2F29155CAC8F7451D20F562B,SHA256=0073756C8F930F6D4E7DBC5086E44101E00DF66AA6A07D5DDA030C8C8A0A2146falsetrue 23542300x80000000000000001550630Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:06.549{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9F4170637A2BCF9BFFD17653510E5894,SHA256=1420ED8783B520F67D3232551C3384500FF165A42EC1A7A39EFBFC4F4A9171D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550629Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:06.317{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551B2E7F7BDCF4F327F21DD9468960B1,SHA256=6109CDD369684AADA45FD7D6E34107AF5D8DF66D992EE841CA13D41F18AAB31D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:06.179{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:06.179{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=253DC9732D0527672429D1C25B343BBA,SHA256=6B49BF9045784043BA3CF2E6FF13C7FCFCFB29DEA4FF6CB1317113ECF71A0637falsetrue 11241100x80000000000000005494681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:06.023{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:06.023{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F182F40B6E4F48ECD94B0C52DCCBFDEB,SHA256=59388CB2026CC37CAA126FF92D3F3E07454EF975482A3C88A43828CBEEFD124Bfalsetrue 23542300x80000000000000001550628Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:06.015{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30BDEDA13FD051969E884D9C871161C1,SHA256=0277B133AC49CC682C9EADBC9C7FA02271F9C5F7711089E83FBE4B65E329DF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550627Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:06.014{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1BFAC7B453F0646A63005BF58CEDDCC,SHA256=67D75397A657232019081D7B2553D608F0736BAE7752D3FDFE6AD8939C24AE82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005494688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:52.671{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49762-false10.0.1.12-8000- 11241100x80000000000000005494687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:07.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:07.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129FF5C26C91E57D14A0E84150240ECD,SHA256=EA013A554361AF9B8B12749B022C0F741521B573A44BD498E7BD3BD36EC3E44Afalsetrue 23542300x80000000000000001550632Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:07.336{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC083D36095FBD6CE7CFD0F9A85FD59E,SHA256=C1572069FCB18D69F8157B01780E51DA326514D00AF8C18E9753F128BF9C4C36,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550631Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:38:59.611{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61699-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005494690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:08.742{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:08.742{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FF222AA4FF4E3583F62E3510BBB75E,SHA256=010172A05C80242EA09B00503481C4002BB58672FB6CF11C999CD861CA423E61falsetrue 23542300x80000000000000001550633Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:08.338{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA8337F981B4F17E94E1791D8C7F26E,SHA256=CF42500FD98E865AC1947B846C05C51A8BCA2D46DD50448D88E5B9D6BF7A10EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:09.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:09.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126F9370C139A5A52E601015C65C6FB7,SHA256=162AD657BEC12DFEA123209BA1D84FCA87BA517C6A117B809D12AA6855632075falsetrue 23542300x80000000000000001550634Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:09.341{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F8A631E777833E75DC6A0B9E9A891B,SHA256=3CD326F876244E2351B950E13855E15DC5D9E118B6D1668E1B508C3C1CC137CA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:10.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:10.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48CD7A1E9870DA86C9FDBB0DEFC64AC,SHA256=018EF7A6246DBB5100DC2D230FC82AC2EF1959CDB7A84FF3E52A80A3719A32DAfalsetrue 23542300x80000000000000001550635Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:10.343{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B60D7FFE877C513BEF8149630C614E,SHA256=8F1BB7335220E81366EFEE0E817C8A957E80D18C8EFA445C5E5D35B2AFBC2BCD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:10.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:10.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3F39B6F7497176F6573941D794723685,SHA256=A1110B07416D4D0D62EDD01EC8E40819EFEE1ED7B6003E1CFB78AD34C76C19C2falsetrue 354300x80000000000000005494707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:57.764{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49763-false10.0.1.12-8000- 11241100x80000000000000005494706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:11.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:11.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD184C3C092DD0641442484C74BCC79C,SHA256=6804AAAF6534696645A49F54034FD918E4250767F0A7B6CDD325435F481C6A8Efalsetrue 23542300x80000000000000001550638Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:11.345{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57B2677B8AF9D0E66FC2E996B266223,SHA256=AEF17801D631B5A457437ACBC01743644871CB90F10A610FDB438905AED17D24,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:11.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:11.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79872AEDF9304C06DF98883B81DDA069,SHA256=EFABBE3ECC8EEB6931C35F0D66F083DB2748B7F751E719E4DD2102D9A46D6C29falsetrue 11241100x80000000000000005494702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:11.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:11.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB1C0176E42CE7AF0F194DC62145E56A,SHA256=C610C2AEAE304A83F47D4912211170AC3DE3A92A4415B6E8B8B0994525B52020falsetrue 12241200x80000000000000005494700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:11.241{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005494699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:11.241{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005494698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:11.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:11.100{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=60C395E722F0653BD09910BCC47B189D,SHA256=340506BA5A8CDAE5E5C662AC3A34EA48F1A1954A2D4D3B4C5D0D4492B74DDB20falsetrue 23542300x80000000000000001550637Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:11.076{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5E63825A92BD16C22B13811516FF53D,SHA256=21213DA3ECCC326EB3B693C9C361792C7DC71376BA5D15D609F234FF3EB8BFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550636Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:11.076{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30BDEDA13FD051969E884D9C871161C1,SHA256=0277B133AC49CC682C9EADBC9C7FA02271F9C5F7711089E83FBE4B65E329DF35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:12.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:12.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA68E9A8FFEFFF877884D2D860C772EF,SHA256=F6E05501C8A7388D4103378E1D9988DD86D3EA6A051E50493B7D6A8752A140D8falsetrue 23542300x80000000000000001550640Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:12.348{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BB5211474999D1782945E1A6102029,SHA256=5B52C962F1436809EEE4F6409EE5D62A5F2BFA930F5C2F2989933300671A75E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550639Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:04.662{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61700-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005494713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:13.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:13.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55D0CB1B13EB401F6143EF35E5F3324,SHA256=52020FE648587D2C3720FED5A685BCB485DCCC4B2ECC2E7CCB78DB3E7FD70DC0falsetrue 23542300x80000000000000001550641Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:13.366{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A076EFD28D15FC449581F7D2E20A8427,SHA256=28A0393288C0BDA8A01BD5703D9240E41AC83A391DCF9C08639502357B845AA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005494711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:58.748{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49764-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005494710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:38:58.748{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49764-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005494715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:14.944{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:14.944{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88410219A7901D7328A1342D733863E,SHA256=BC03AD52474D1CC6E2B56E3F7EEF3138857C1D05F88C639B310A4CD90C41CEF6falsetrue 23542300x80000000000000001550643Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:14.754{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550642Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:14.384{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D409CCAFBCA77DB9CF90D25FDB7F07E,SHA256=6BEA33FB6836372C987EACA96F046868C45AAB3CB9D76CAE9761BE59C7CF3B66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:15.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:15.959{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD75917A5E3E3BF7DD1035EA963D6122,SHA256=8CCC28FCF45D571A29BCF8923099668342E55E8C7BE00BA6336AE0BA04BF7041falsetrue 23542300x80000000000000001550645Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:15.736{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5E63825A92BD16C22B13811516FF53D,SHA256=21213DA3ECCC326EB3B693C9C361792C7DC71376BA5D15D609F234FF3EB8BFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550644Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:15.386{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EF64612107196A54445CD38E25389F,SHA256=DD03F1F234F5F3684019B32E45137B685881CFF0E458AF2C4D5A6448FE91242F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:15.350{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:15.350{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01E0453CB5C28D0A85D3229263274E52,SHA256=4FED19199E905D138449A177F3C7799EEB596738E35AF040C6E45D790219391Cfalsetrue 10341000x80000000000000001550655Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:16.704{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1164-6139-97D0-00000000F101}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550654Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:16.704{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550653Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:16.704{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550652Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:16.704{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550651Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:16.704{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550650Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:16.704{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1164-6139-97D0-00000000F101}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550649Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:16.704{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1164-6139-97D0-00000000F101}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550648Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:16.689{AEE49BD1-1164-6139-97D0-00000000F101}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550647Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:16.388{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A44D4DE1A1A672C768B1DAD47B8090,SHA256=A52BD5579F2FC5E03751330FD7C7BF041003AF2185C81025BE4C9F1E352A9C4E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:16.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:16.131{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6111F727BB3C2583A7E07F736C4C33D8,SHA256=8A109E5806F6486D95081952F07B9993BB1D9F14ED603E742C6A8F2C161CD905falsetrue 354300x80000000000000001550646Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:09.335{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61701-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001550667Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:17.721{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD7E0EE7886EF1BF9200C0A1E5BBB065,SHA256=5E9FFDD0173A2EE9ADA42730E484177663D1C2C9E7C4E37355BEC2809CAFB5BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550666Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:17.520{AEE49BD1-1165-6139-98D0-00000000F101}37202204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550665Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:17.405{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1165-6139-98D0-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550664Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:17.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550663Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:17.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550662Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:17.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550661Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:17.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550660Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:17.405{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1165-6139-98D0-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550659Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:17.405{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1165-6139-98D0-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550658Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:17.390{AEE49BD1-1165-6139-98D0-00000000F101}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550657Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:17.389{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E97CF9A459C7D6E4169F6C97940673,SHA256=178762CCCE1B4D7EA47AF7F794204C83B60B98F8BDA5308D320F5CBB0E035FC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:17.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:17.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B44AA28A0834ABD6E1B30BB3EE7FE2F4,SHA256=A47940A28BFCE1A9C1723BFBECB2F6C199FEA805B90A66785CABC3B5BD38AAC5falsetrue 11241100x80000000000000005494725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:17.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:17.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79872AEDF9304C06DF98883B81DDA069,SHA256=EFABBE3ECC8EEB6931C35F0D66F083DB2748B7F751E719E4DD2102D9A46D6C29falsetrue 11241100x80000000000000005494723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:17.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:17.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82209CBA0EB2A22BFA16C8DDC1FC60D,SHA256=FEF171A9296FCA27359E313726DC0A4F34687200F83D86FAF8384B17D18DFE6Efalsetrue 354300x80000000000000001550656Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:09.689{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61702-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550676Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:18.390{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7235A907709745008DDCAA3796D1CE80,SHA256=C0F39281961B25ABF24B3C56215DAB7D2D6317ED881DCB9E443EF97375CC6A97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005494730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:03.700{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49765-false10.0.1.12-8000- 11241100x80000000000000005494729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:18.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:18.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EB6EDD3F42F2EC26093E4B3AA8C7D3,SHA256=559B78A0E32A24B3203F010B1D60B9DC0ABFB4927AC428B72215F876E401A1F2falsetrue 10341000x80000000000000001550675Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:18.090{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1166-6139-99D0-00000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550674Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:18.090{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550673Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:18.090{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550672Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:18.090{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550671Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:18.090{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550670Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:18.090{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1166-6139-99D0-00000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550669Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:18.090{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1166-6139-99D0-00000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550668Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:18.075{AEE49BD1-1166-6139-99D0-00000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550678Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:19.392{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4568A90609CCA86A03551A4A72F7015,SHA256=B7B09272315EA3819C3AE9C02A4E95F87C0A39820C2A9E232711143D0542D7E7,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005494788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.553{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.553{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005494786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.553{4DF467A6-1167-6139-9ED6-00000000F001}59121120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.553{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005494784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.553{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005494783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.444{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005494782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.444{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005494781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.444{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005494780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:19.444{4DF467A6-1167-6139-9ED6-00000000F001}5912\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.444{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005494778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:19.444{4DF467A6-1167-6139-9ED6-00000000F001}5912\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.444{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005494776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.444{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005494775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.444{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005494774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.444{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005494773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005494772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005494771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005494770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005494769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005494768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005494767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005494766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005494765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005494764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005494763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005494762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005494761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005494760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005494759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005494758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005494757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005494746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005494744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005494741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.428{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005494739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.413{4DF467A6-1167-6139-9ED6-00000000F001}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:19.412{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:19.412{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:19.412{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:19.412{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:19.412{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:19.412{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005494732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:19.069{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9D38F5331BBB2967FCF2AEE06D4CBA,SHA256=22588AC9C71FA933B35E1EC4B52C56BD2B0D9358D960843715AE31B3871573ADfalsetrue 23542300x80000000000000001550677Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:19.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D827D7E3A8CE1D68C5624A0D0ECCFF66,SHA256=A2CCA746141CD365856E688525D6EA4C74B91C1358C146562DC26C225E15DBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550679Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:20.394{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1158CE902DB800CBE3ED60DF1600EBD9,SHA256=6080C9083DF72743ACFE52B7C4940AB809367FB2404CE4CC2226A21E2254D992,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005494912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.819{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A044E6A8EF3A71F1F429A424485CCE,SHA256=C84E332A045B3E71095EDB3A044BF67744AA065F63A32732C0234ECA2EF14F5Bfalsetrue 534500x80000000000000005494910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.787{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.787{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005494908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.787{4DF467A6-1168-6139-A0D6-00000000F001}34485752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.787{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005494906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.787{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005494905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.678{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005494904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.678{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005494903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.678{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005494902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:20.678{4DF467A6-1168-6139-A0D6-00000000F001}3448\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005494900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005494899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005494898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005494897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005494896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005494895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005494894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005494893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005494892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005494891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005494890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005494889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005494888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005494887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005494886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005494885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005494884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005494883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005494882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005494881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005494880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005494878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005494868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005494866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005494863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.663{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005494861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.648{4DF467A6-1168-6139-A0D6-00000000F001}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:20.647{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:20.647{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:20.647{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:20.647{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:20.647{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:20.647{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005494854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.444{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.444{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B44AA28A0834ABD6E1B30BB3EE7FE2F4,SHA256=A47940A28BFCE1A9C1723BFBECB2F6C199FEA805B90A66785CABC3B5BD38AAC5falsetrue 11241100x80000000000000005494852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005494851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ADC6A59649EDB84FA8F75053A1CCFF62,SHA256=8704E27102A4B8E055A46D8AE2AC81227D31518D3DF4D35EC8CEC1E20C15ECE8falsetrue 534500x80000000000000005494850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.241{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005494849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.241{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005494848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.241{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005494847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.241{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005494846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.241{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE8203F5C3BE93624D409571402C43D,SHA256=218A7C2B2BB20F5ECC5982A8780B837D94F7A70C30392803863803E6CB83A86Bfalsetrue 734700x80000000000000005494844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.131{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005494843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.131{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005494842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.131{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005494841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:20.131{4DF467A6-1168-6139-9FD6-00000000F001}5560\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005494840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.131{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005494839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005494838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005494837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005494836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005494835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005494834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005494833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005494832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005494831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005494830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005494829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005494828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005494827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005494826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005494825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005494824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005494823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005494822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005494821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005494820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005494816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005494813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005494810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005494808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005494807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005494806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005494805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005494802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005494800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005494797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.116{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.100{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005494795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:20.101{4DF467A6-1168-6139-9FD6-00000000F001}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:20.100{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:20.100{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:20.100{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:20.100{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:20.100{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:20.100{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001550681Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:21.396{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8B294AC2241C475CDC8C2A5AA5660F,SHA256=7808C10245C3F57811323A54F5706C76CD33CACADCE6446054EB680DA06BCA2E,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005495032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.975{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005495031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.975{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005495030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.975{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005495029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.975{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005495028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.881{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.881{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1504200EDAB9CB669B4545E64D3203,SHA256=AD653C72CEC333C35FA5C2281B16E2E1ACB661C21F97F487FA3F4CD6A25EE127falsetrue 734700x80000000000000005495026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.866{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005495025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005495024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005495023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005495022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005495021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005495020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005495019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005495018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005495017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005495016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005495015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005495014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005495013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005495012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005495011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005495010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005495009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005495008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005495007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005495006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005495005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005495004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005495003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005495002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005495001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005495000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005494991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005494988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005494986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005494983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.850{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.834{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005494981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.835{4DF467A6-1169-6139-A2D6-00000000F001}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:21.834{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:21.834{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:21.834{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:21.834{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:21.834{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:21.834{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005494974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005494973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A67348455EE1D844F53C2CB9F58557AA,SHA256=E0220D3ED57A56E4765478E487C3A5743C2EFEE80944E2AD619D4CD1B513619Efalsetrue 534500x80000000000000005494972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.319{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005494971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.319{4DF467A6-1169-6139-A1D6-00000000F001}5480344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005494970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.319{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005494969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.319{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005494968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.209{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005494967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.209{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005494966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.209{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005494965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:21.209{4DF467A6-1169-6139-A1D6-00000000F001}5480\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005494964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.209{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005494963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:21.209{4DF467A6-1169-6139-A1D6-00000000F001}5480\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005494962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.209{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005494961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.209{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005494960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.209{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005494959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.209{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005494958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.209{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005494957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005494956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005494955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005494954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005494953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005494952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005494951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005494950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005494949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005494948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005494947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005494946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005494945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005494944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005494943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005494942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005494941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005494940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005494939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005494938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005494937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005494936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005494935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005494934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005494933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005494932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005494931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 11241100x80000000000000005494930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 10341000x80000000000000005494929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005494928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E37E4F21335B4907D6A23896AA4148E,SHA256=CDBE14826BE7BA71994D1927399BBFBAE2448D390A954052DC3F7DE109F5EDF3falsetrue 734700x80000000000000005494927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005494926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005494925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005494924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005494923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005494922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.194{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005494921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.181{4DF467A6-1169-6139-A1D6-00000000F001}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005494920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:21.178{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:21.178{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:21.178{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:21.178{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005494916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:21.178{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005494915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:21.178{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005494914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005494913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.178{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96084226E548877C687989205D58BE3E,SHA256=E87437EDBD19A84CC762B634986AF3F45CF09BCDE8C07D5A6FB5C43D16F66A20falsetrue 23542300x80000000000000001550680Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:21.212{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=399350616A89C6B89F7B8C251799B428,SHA256=950D56EDB210D2D6B6B995BE0B5F96E12AD837DC40F5893C50D4B02735D6DAF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550683Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:22.399{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDAA509B1864DC35280EE9DEE882D32,SHA256=637E7C24CB70056ABB9ABFB5FFE311D2A20B15CBB3A6361C7A084FB7844E0BE6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.898{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.898{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9BC4369822E503583D44F91A5DDA508,SHA256=2176EA1839FD8E24E336C6F89C2D5BA6DD2E7B2DFD85772090F622D841D976C1falsetrue 23542300x80000000000000005495094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.728{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7264MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005495093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.727{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-72642021-09-08 19:39:22.726 11241100x80000000000000005495092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.726{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-72652021-09-08 19:39:22.726 534500x80000000000000005495091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.664{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005495090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.664{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005495089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.664{4DF467A6-116A-6139-A3D6-00000000F001}67204160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.664{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005495087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.664{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005495086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.554{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005495085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.554{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005495084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005495083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005495082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005495081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005495080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005495079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005495078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005495077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005495076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005495075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005495074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005495073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005495072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005495071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005495070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005495069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005495068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005495067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005495066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005495065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005495064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005495063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005495062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005495061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005495060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005495059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005495058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005495057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005495056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005495055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005495054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005495053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005495052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005495051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005495050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005495049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005495048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005495046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005495045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005495044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005495043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005495042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.539{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005495041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.524{4DF467A6-116A-6139-A3D6-00000000F001}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005495040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:22.523{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:22.523{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:22.523{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:22.523{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:22.523{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:22.523{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005495034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:22.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547B621766C14E5F3A40885679485B85,SHA256=2A4C2952649EB7B4BDE2B7AE5FA5EDA5DC16F3B4EA3A5486E81E58D207D31D45falsetrue 354300x80000000000000001550682Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:14.798{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61703-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550684Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:23.401{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7C22D3D3A7291B3287DC940BAE0691,SHA256=868BBD33ABB70186C5514E66D887CE5086617CD4FDB3051194F058147406DAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005495157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.741{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7265MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005495156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.398{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D897D830535E34436CDDE20B00E61CD,SHA256=00B60BFC1B86C4410110FD47158F29F8693B975B1A6B4F763BB31CC236622E81falsetrue 11241100x80000000000000005495154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.382{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.382{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5000CDBAF50FB06CE6DA229DE1917E22,SHA256=E950CEAECED55D15B08737B2EFA9FCFC392FDD833517240659132AE1F11429B0falsetrue 534500x80000000000000005495152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.351{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005495151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.351{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005495150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.351{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005495149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.351{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005495148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.241{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005495147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.241{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005495146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.241{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005495145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:23.241{4DF467A6-116B-6139-A4D6-00000000F001}4780\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005495144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005495143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005495142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005495141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005495140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005495139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005495138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005495137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005495136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005495135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005495134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005495133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005495132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005495131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005495130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005495129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005495128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005495127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005495126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005495125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005495124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005495123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005495122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005495121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005495120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005495119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005495118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005495117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005495116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005495115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005495114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005495113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005495112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005495111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005495110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005495108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005495107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005495106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005495105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005495104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.226{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005495103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:23.211{4DF467A6-116B-6139-A4D6-00000000F001}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005495102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:39:23.210{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001550685Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:24.403{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55D497BE22782C81ABDC0A061DBC004,SHA256=D40B00BF7BB0D60BF90262D67FDE007FD3C69E90E8DEE5F4F2B597270E6AE2E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005495178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}12486484C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005495177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}12486484C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005495176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005495163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:39:24.710{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 354300x80000000000000005495162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:09.732{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49766-false10.0.1.12-8000- 11241100x80000000000000005495161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:24.367{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:24.367{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097FC42BC0B55EA5E91DE35D2DC7C984,SHA256=F5B39FFAB72628CE0B4B52638FF839D82321A8BEE89131BF3C7B834DE0F8140Efalsetrue 11241100x80000000000000005495159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:24.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:24.223{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED44776AA70A182188F1488FA9A9C4A3,SHA256=C3237326F608F0821F11324E0BD8E07482CAB4DB404BFA4F9825479060160F56falsetrue 23542300x80000000000000001550686Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:25.406{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC20192AB4E546B659009CB0245D2BB1,SHA256=8F5F42E2610AA95BC08F73EB3BCE3C43F44DF355B1417316D6DE1823FDC99925,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:25.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:25.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD6E8888EED50C8A8291B41C37A670F4,SHA256=0BDA3155B772DEC5980E8DDF3B8AA0291365A0C4D5914340389CAA298293440Bfalsetrue 11241100x80000000000000005495183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:25.679{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:25.679{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F9F7D5E619F9CC9937BCAC72774BC10D,SHA256=D2945AA3137F73ACA77721A85E00676F4BF4E70B3DC83FF3A1C1BC310562C8DBfalsetrue 11241100x80000000000000005495181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:25.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:25.648{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3296F03EA8D9F9CD226CCEE3E11F5A48,SHA256=DE87108E2B47BF73082E83B463C122ADE72361536C61BC3B7C2F5D29C596168Cfalsetrue 18141800x80000000000000005495179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:25.601{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 11241100x80000000000000005495191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:26.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:26.789{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71682D6AE0F7A0FF9AD31C1941733D9E,SHA256=EF7D8B9AA01014774A1A7A3CA33A17204F036A93899EFE520A977DF092505864falsetrue 11241100x80000000000000005495189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:26.695{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:26.695{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBA20B88129C9A9A798F1B4973A855B,SHA256=1DF6FBAABFCB50A4D8AC95AFAD117C35208DF2A20016BD101F792FD13B31BDFEfalsetrue 23542300x80000000000000001550687Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:26.408{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8136200E42978E357AD0D24C3BCB228,SHA256=2BE1718A149B87E4381518B2AF4D200EAF4ED07320A0C47A34482FDDC00CDFE6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:26.257{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:26.257{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8FF457D9D85A5DC88DA150DD78C796C2,SHA256=B17226136A19F4B5274B3B28FE16C6B8B7A61A1422DB676F63AA94FA746A10BCfalsetrue 11241100x80000000000000005495193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:27.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:27.820{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D548A0656224B99F351B42DAD20F188D,SHA256=A3944C5BA0276A16CD369E0049E48798B8BFB3DDFB22EB5CB655089E4778695Dfalsetrue 23542300x80000000000000001550690Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:27.409{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14774324D6E436DAF180F3528FC5D54E,SHA256=96924EA664872DEA4E21513DAACE750DADFB50CE3F8C48515A7FA4A6655F9790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550689Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:27.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10219DE124CE1E1B2A90F61F6475B83B,SHA256=CD14611BE7060181E1CFDE6F9626D496EF0D67D609818A397F1891F1414127DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550688Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:27.178{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F7F591EDDB85093098924DE5FA7FB65,SHA256=C90CAC27C464DDFE649B61C08E8F1227FC28332C901BC9373BB81D7AE6BD9F52,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:28.835{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:28.835{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817257EE6A583AB33D271F77F6D60021,SHA256=47931CC12238CB7050E981CE8D4EE5683E8450322A3D4D5FBBCCFDE9F76F88C7falsetrue 23542300x80000000000000001550692Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:28.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961E21C2139BBE81070201F07A6C5928,SHA256=47C8A2BBE57BA8F8AAFB67BC079FEF2187D819A0E408E7B39A9C0651F3943055,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550691Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:20.780{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61704-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005495201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:29.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:29.851{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C0C2C645657CC883471B080107FA65,SHA256=F5AB2BA6E939B7B8CE4D353211BB660E6607E47693BD44DC8942712B3D03D56Efalsetrue 23542300x80000000000000001550693Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:29.415{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B75FF336169A3213ECA79889C8C537,SHA256=D05F899EC7A6C0E275D796892125E499D135E9D0B469512C5B8CC2C6532885C1,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000005495199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:39:29.710{4DF467A6-3F58-6132-2A00-00000000F001}2924\wkssvcC:\Windows\system32\dfssvc.exe 10341000x80000000000000005495198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:29.710{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x80000000000000005495197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:29.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:29.242{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CF3E9E0C715F8061B53BCC932945692,SHA256=0BC9EBC9A274A2F6F0AB5A7B8DF677CC50FCB6D6D5D2BEB15608F157CEDAF207falsetrue 11241100x80000000000000005495210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:30.949{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005495209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:30.949{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4DDBEB7457F8DFBCD6720378E5001337,SHA256=D1EE480D5D340EA5F0DEABC646C3EF8FEBD0877BA633EA27903A5B34591DB510falsetrue 11241100x80000000000000005495208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:30.871{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:30.871{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CDC537E627A0F427985125F7C6B289,SHA256=3A9774D32BA5ECCC3EE634E63C86CB0D02C90D236A37B441F892D700E441EFE7falsetrue 23542300x80000000000000001550694Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:30.417{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBEEF23F3B71CE5556032DDF9119A5A,SHA256=0DE2C5A9EFD7C5B5D870A2FBB12A7DBB87945ACBC645B556782383E9DEB8C62F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:30.742{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:30.742{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E06E68EBBCABA053A6C39BFF67A2CB23,SHA256=8C77744EDCC752ACA23B07DE87A377DBEC85BD166A96A8F87474E2BBDDA898E2falsetrue 11241100x80000000000000005495204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:30.601{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:30.601{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CA915C580E4A95D7C9A02782AC09E6AF,SHA256=8E8FBA4DC641653FAC427A5EC0DE784FEE6BE9783FF780D2AF2AECAE20C89E0Efalsetrue 354300x80000000000000005495202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:15.732{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49767-false10.0.1.12-8000- 11241100x80000000000000005495218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:31.903{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:31.903{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E460BCB4F5625657E160A9AF3B601D13,SHA256=2B9CA3EADC00986139EC849BE95296C434453A968AB3DD1FBB45D0B85BF8E4BBfalsetrue 10341000x80000000000000001550704Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:31.819{AEE49BD1-1173-6139-9AD0-00000000F101}45205440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550703Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:31.704{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1173-6139-9AD0-00000000F101}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550702Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:31.704{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550701Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:31.704{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550700Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:31.704{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550699Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:31.704{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550698Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:31.704{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-1173-6139-9AD0-00000000F101}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550697Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:31.704{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1173-6139-9AD0-00000000F101}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550696Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:31.689{AEE49BD1-1173-6139-9AD0-00000000F101}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550695Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:31.419{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4E82F6C33CF3ADB91DEC09240E3668,SHA256=7BF85ED2A606AE744695FDCDA259F7678CD912BDD6D230CDF2AA29DD1433A5DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:31.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:31.778{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A8F6AE71805548B34B7674209ED26EA,SHA256=D95001AD4EF8C8D8034258827EA657A0DE18CC613557E1A602664183D6C6E72Cfalsetrue 354300x80000000000000005495214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:17.218{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49768-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005495213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:17.218{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49768-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 11241100x80000000000000005495212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:31.324{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:31.324{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=40C660EC68B1D70EF96B8A0D154C7CFB,SHA256=85FC381BB10D90FFC7308ABE7B418145E5250B221BC037465B6BFE0046A2E92Efalsetrue 11241100x80000000000000005495220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:32.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:32.965{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB54DCB678F276C05DEA6AAB8A00BC8A,SHA256=320B74813382009DA14CF3676F946FABF7AE42334C9A7A640CB28C4C952C73D3falsetrue 10341000x80000000000000001550716Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.536{AEE49BD1-1174-6139-9BD0-00000000F101}18562036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550715Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.420{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017FB9020CA44758FE5A95FE58976953,SHA256=2DCEF54F01D4ED909E0D432FBE8A85E91577D583135508E68169DDA1D15D1E4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550714Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.405{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1174-6139-9BD0-00000000F101}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550713Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550712Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550711Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550710Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550709Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.405{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1174-6139-9BD0-00000000F101}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550708Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.405{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1174-6139-9BD0-00000000F101}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550707Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.390{AEE49BD1-1174-6139-9BD0-00000000F101}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550706Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.220{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C2FAA5F836A70467999536B2BA99EDA,SHA256=547F95E0BB71A83D0BC6A06511556B8942A613A21A46BD3F48CC0B5570E8B489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550705Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:32.220{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10219DE124CE1E1B2A90F61F6475B83B,SHA256=CD14611BE7060181E1CFDE6F9626D496EF0D67D609818A397F1891F1414127DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:33.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:33.981{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005A4E4090D215BC3B91BE21292A072B,SHA256=746E433118A9297917D6D8056CF76726E5F4A3D47F5593836C61DD4794E61C67falsetrue 23542300x80000000000000001550728Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:33.422{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC9865DD53B01E58D63767C33D87673,SHA256=ED7FD17B2294B7165D15387B7455CC35DF42BD8D41052E56D28C8D58CFFAC396,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550727Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:25.822{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61705-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550726Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:33.391{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C2FAA5F836A70467999536B2BA99EDA,SHA256=547F95E0BB71A83D0BC6A06511556B8942A613A21A46BD3F48CC0B5570E8B489,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550725Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:33.206{AEE49BD1-1175-6139-9CD0-00000000F101}9403796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550724Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:33.075{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1175-6139-9CD0-00000000F101}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550723Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:33.075{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550722Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:33.075{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550721Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:33.075{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550720Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:33.075{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550719Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:33.075{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1175-6139-9CD0-00000000F101}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550718Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:33.075{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1175-6139-9CD0-00000000F101}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550717Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:33.069{AEE49BD1-1175-6139-9CD0-00000000F101}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005495224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:34.996{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:34.996{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D87152144FB28560B6C12C22E5349E,SHA256=1EB2AD9444BE12A83F974EAD07DF25F49D4B90E00D4A0EA4151B0E44F49182C5falsetrue 23542300x80000000000000001550729Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:34.424{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47285A6EA94EBA2DF26692506C1C23C9,SHA256=AE6F8AE2FA80505A66BC7E20456F781CB66266FC179F95ADDD85073278AFA6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550730Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:35.427{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0796064BAD12C3D2624600A9F0F10D16,SHA256=BA6EC9A433BBE7655E6676039A63B05193712A8E39CFD2FF125368C8562A2C6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005495229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:21.721{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49769-false10.0.1.12-8000- 11241100x80000000000000005495228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:35.543{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:35.543{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F7AB31D8345E60116DAABB2212EBE099,SHA256=80624464E56794FC71EFFEB48906E066566D0D427AA08D545A5E4A6B90F3E833falsetrue 11241100x80000000000000005495226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:35.403{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:35.403{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39CC8032F3A75DB0A4CCE8894939EFF6,SHA256=800CF368C0E93CE922E7B13FD1F65D42E079AAFE8FEFEB1287E3E68D308FCB22falsetrue 23542300x80000000000000001550731Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:36.429{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E90A963E5405BEC69AFDED685A5D6F,SHA256=A2CBCA0878EF04CC289C9A7CBF9B52F4D0661092643E71718ECE6B7120A03636,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:36.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:36.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D9EFE55BB157A0B10A090B046C022F9F,SHA256=0607277D2162E523AA1AA93B3C8FB73E2A6078C905E39EF76D25AAE43620E3E3falsetrue 11241100x80000000000000005495231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:36.012{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:36.012{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9C4AED623E21AB89EF9FADDF8F52E3,SHA256=EF32B39FFDF5EA16E6FA27E29061C93AC1C9DEE37E537B77AA4DC2FE42EE3EEFfalsetrue 23542300x80000000000000001550733Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:37.865{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7255MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550732Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:37.431{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20421580B25F4F8B59158D49EBB2666C,SHA256=791FEBF6D88B058CCBB1877BA0063792BEB67C5A52A4617D93E8D3CD484AE4D0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:37.028{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:37.028{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786796437412A576380A16D0BE6DE76A,SHA256=5463C7702031BDC54F6969AFAC8583A182B00D0F6BFB03336B3227ABA32D666Efalsetrue 23542300x80000000000000001550736Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:38.865{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7256MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550735Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:38.433{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CE1DFB0757C82BF8F1133D646D1003,SHA256=83C2BB24AB38C010BFF5780C85464035FB84D53FD01E9F663AD39BE9F0720A6D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:38.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:38.043{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE94C613A2232BAE6DE26973490EB9E6,SHA256=821B06F0B0C95D3EB565FB127068984F8B89C38D99DF690DA795F89B6FF85E37falsetrue 23542300x80000000000000001550734Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:38.133{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B010139FFC6206DFA9A7B588B2B812A,SHA256=2036BFD12E32191267973F88C36F3E7CFC1F1A59BFA879C63FCBF11F5CF6A46A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550738Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:31.719{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61706-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550737Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:39.435{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C37939072D2ED030BAAF3D860EF14B9,SHA256=A7401CC31926978D9B41A048E8C3347B0A45B350DAF6F6FA08A4224A0AD9344D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:39.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:39.059{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FB4FABB71970B582ECE26275E251A9,SHA256=E6EDDBF7F8D74A87609D9F089900E4806FFE96369E8718B87DB9202F9443367Efalsetrue 23542300x80000000000000001550739Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:40.437{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE3A5DA01D95F63B197C188A3487EB6,SHA256=9DBDCE5F3811E33FD26D92DCC15F594DE3621C2C33D864555DE9C0A536BDD33D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:40.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:40.590{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E060F838BDC817CD413BC7C27E4F504B,SHA256=76A04EC60785510ABEDFE35DBAEBB94C8D09B44DB19682F22E028D8602575BA6falsetrue 11241100x80000000000000005495241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:40.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:40.090{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D5F9BE34C7B9E5CE38BD53AC9CDEE5,SHA256=E5486F9566B8DBE01A1E21D1787D9678864845078808C06B0CD75279BC9F2F36falsetrue 11241100x80000000000000005495251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:41.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:41.418{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A0596E492E60E78D2953B5DF050FE7D,SHA256=5C0BCC38CAD8D8996F432E87D3AA677368774434C09608F59DB97DB72E29A1EEfalsetrue 11241100x80000000000000005495249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:41.153{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:41.153{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81C019A4DD2812329EC340942C4A8B20,SHA256=29F2F63F7460495E912C01281DF8DC66D5F535991053EF933EB8B9274198A949falsetrue 11241100x80000000000000005495247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:41.153{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:41.153{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D702EFFDD360203C18F1C9BA5E83D1C,SHA256=48E86888B5603E402111CE80FF99080F96129106E7CCB1E314EA13CB1EE4AE7Cfalsetrue 11241100x80000000000000005495245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:41.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:41.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A01D6CCE40BCE8ACC6B82B9F891030,SHA256=10AC70D4E32EDCCDDE0D7825CA4E58CF205176CE1C0F9BD0D79F25FE8195EDCAfalsetrue 10341000x80000000000000001550748Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:41.492{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-117D-6139-9DD0-00000000F101}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550747Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:41.492{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550746Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:41.492{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550745Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:41.492{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550744Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:41.492{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550743Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:41.492{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-117D-6139-9DD0-00000000F101}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550742Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:41.492{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-117D-6139-9DD0-00000000F101}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550741Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:41.487{AEE49BD1-117D-6139-9DD0-00000000F101}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550740Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:41.440{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D56F714FE86537B6125E7C2843A604,SHA256=C2A98D93EF4622DD6020EE0764F4C7611B422E802E2D02C5CD1C30C5768193A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005495254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:27.612{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49770-false10.0.1.12-8000- 11241100x80000000000000005495253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:42.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:42.199{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69BE666900F734ED28F4A240C3967AB,SHA256=5768EEBE038DB93BBB69EB1DE37A3688ACD857C5B0151BA2D13E617373568189falsetrue 23542300x80000000000000001550750Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:42.492{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9239F0CC1241399DD7260536F2F77E22,SHA256=6D0EFEE3AE530A7D9CCA6600D0962B062F2D49A639DCE1368E142FDDA797B627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550749Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:42.442{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2424A1BBFBB54075499D1F300D1EF1A5,SHA256=241EB7855FD850D76812217A8334A0E7D3123ED1386EB4155D77BF755CBCCE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550751Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:43.444{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F898F27813F1C54A9064F78CA558DC8,SHA256=285FF221830EA2D1B4CA8108BD9D43C8279069BC83B5270A511E15441065DDF0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:43.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:43.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54657897D4BC07CBA7FC0657F07D41A,SHA256=505C278C93141C867B367C89E4EBB2863FA7C2469A8F80072770D3E73BA31AF4falsetrue 354300x80000000000000001550754Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:37.678{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61707-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550753Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:44.446{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E328668AD5B4955BAC8B9E053706743,SHA256=A016278A9E10BFBE84132E00C7CBC623099B8C18FDDF05BA460F53B5EE98AA7D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:44.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:44.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A1A641C76A8639240B527F260FC625,SHA256=07F28933D65AE8B85459B13DAAF7D2C22D1399EF653154B241D4A327B92538CDfalsetrue 23542300x80000000000000001550752Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:44.077{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F170F57DE0E2383424B2E610C1AC95DC,SHA256=A118E554AAC5C8FB21D8E2A2C4B1A8D3BB76AD9D392493E95A570E0CBA707B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550755Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:45.449{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8052C5597C93A589FE1CADB2936172,SHA256=6D75C354EDD6D66CC490C4C6A0BC24923D12974E71D6959BAC02E93BFE46B427,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:45.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:45.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C4CDD26728CF92C66662F326B08811A,SHA256=CA3B116AB27001EE97B4790BCA776A29F6BF98D37711C1E38AECC1CCB7FF3D5Dfalsetrue 11241100x80000000000000005495260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:45.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:45.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B3C4CE2B25830274620D8E3C8FB551,SHA256=91301A2A3FA727E2B45768498BDD6E0D924BA892ABF4347086477C9B072393A1falsetrue 23542300x80000000000000001550756Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:46.451{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81435F89B60EC710251284CC0E1C061,SHA256=73C9296ED019D1380520983656E9083A0A373597698D14E5C89F93563830B10F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:46.841{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:46.841{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0B068A67D1D4BA61B2CD5514DA5D0C1,SHA256=88257F9C537E1AF54B953540AD21BF864B55950D6C497B752A2955EC18F0FD73falsetrue 11241100x80000000000000005495268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:46.841{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:46.841{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81C019A4DD2812329EC340942C4A8B20,SHA256=29F2F63F7460495E912C01281DF8DC66D5F535991053EF933EB8B9274198A949falsetrue 11241100x80000000000000005495266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:46.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:46.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=87F0F7942DDF78F134B1F003C3A9E099,SHA256=C87879B9D134064511896F197F1F055DAE29D5FF9F1C21E8222599671952D46Dfalsetrue 11241100x80000000000000005495264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:46.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:46.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2772E77668B904F5BF17BA9BFDC1CB,SHA256=351CC18A51858B0FDCF5228E65752CF1C2DC7829820C981E4BB188F73162D695falsetrue 23542300x80000000000000001550757Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:47.454{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67D986B438831014F6B2BBC61807C6C,SHA256=89D20673EAE9F2BE2F223FAAE0BA12578B7A36A0A1D2C9DC9B8289A9BD0949C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:47.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:47.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC666BF628A8F18D929EFCAEFD8F32D8,SHA256=8CA84C52FA3B7ECFF92256E4382383D1CE6B1B8C033FE0E15E9F9B115BD80496falsetrue 354300x80000000000000005495275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:33.597{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49771-false10.0.1.12-8000- 11241100x80000000000000005495274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:48.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:48.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316B04BE70B1F5FCEDFC7820C378CD84,SHA256=ACC455C7FA631001735A03C1648FDC7AE4D98FEDA9D8284837D2EBB171C65DD9falsetrue 23542300x80000000000000001550758Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:48.456{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36ACE0336E48BE79F31C749E325771DC,SHA256=CECD980862B6B712A22935C86A8545FDA31754054E27A7DE6573235F6D3E1EAC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:49.357{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005495278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:49.357{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005495277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:49.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:49.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854B8C987F7F869AD33087FBC8285CE0,SHA256=13F8BA917975B4743CB60767EB3B67F4C08E9FA20E32F08B337D9B138A0F5BA7falsetrue 23542300x80000000000000001550761Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:49.458{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6DD734CC5909F8419BCBFE6A20A2C9,SHA256=8D488C72F7345EED9F18A8758F1EE9F58B2BCA052B01D95C20C74EFD07E3CF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550760Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:49.108{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E910A727277F9E9CAADB6CD11DE7AE17,SHA256=F44824E8C804B6A6782F1916CCD9755EF3315769C75CADC2F1E7DBDBDF0D5FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550759Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:49.107{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F32B87C7A020AFFC77F8479D141B9AA2,SHA256=9CAB8499F7319ED41465719D22E85091A7BFCAAE88D6E50AAF6D0C100104A690,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:50.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:50.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=781B12EA129ABE757E2FFA3FC8A60D5F,SHA256=CB99AB6A34E26FD2442960F3C7E5FD043A7DEA6DF6F755BED8466C3DD1713746falsetrue 11241100x80000000000000005495283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:50.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:50.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE2C98FE46BC57D8486D11B2C3A10B0,SHA256=81029A37BD521C427FC05221DAE182A5B38798F856D90E2C8830AF8EF232F600falsetrue 23542300x80000000000000001550763Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:50.460{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF28A0F79504E6B3650DD997CE60511E,SHA256=23CA936E4E73C2AE6F040412DCAB975F80B49E82576E484ACD4D639E7E8C8A7D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:50.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:50.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0B068A67D1D4BA61B2CD5514DA5D0C1,SHA256=88257F9C537E1AF54B953540AD21BF864B55950D6C497B752A2955EC18F0FD73falsetrue 354300x80000000000000001550762Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:42.709{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61708-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550764Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:51.462{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8424E4CC7217EB9B073F8748D64EFC,SHA256=FB6EB5BA403249F9854DE4979383C86CA156CC536259A4511F525E32B85B1171,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:51.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:51.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE202A6DD49705AF072ED99EE4F6FF1,SHA256=D2FAE81FBAAA11661DDE52E0232180D7A726ED5A68F5AC873390BDC284EE3C40falsetrue 11241100x80000000000000005495290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:51.528{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:51.528{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F546F417A9AAFA592691EAB6487061B4,SHA256=B18DC8315095B8C6D5E366F83A7F87D706CDD838583E0037382C5756E79D72DFfalsetrue 11241100x80000000000000005495288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:51.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:51.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7289E21D25C2B06A690FE88A719E270F,SHA256=6665AFE677887797C9DD479399EF65530340E6FD7A8F629454AB90CE314DF099falsetrue 354300x80000000000000005495286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:36.847{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49772-false10.0.1.12-8089- 23542300x80000000000000001550765Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:52.465{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2B23C93FEC617FF0449E3FFEB64828,SHA256=93697B2A9C9DBD0CE14619C5BADE604F981FCA754847E0579E87C7760A08188C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:52.512{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:52.512{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D12CE2BAEC76CBC3814083CBD8C66D,SHA256=E4414EE2886DF8D2815FF43C78E9C04D69B6F2A4C014A500D630E9D9D342AB87falsetrue 10341000x80000000000000005495293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:52.419{4DF467A6-3F47-6132-0D00-00000000F001}8961856C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005495300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:53.528{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:53.528{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E862BF7EF420B6F30A80BB619DAD96,SHA256=4138E2665BB7B46DC4FD3400D460F81269E9261FA53B367D9F84B3BF4BCE61DFfalsetrue 23542300x80000000000000001550766Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:53.467{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CBE336E4DE5FD1E63C383BA6E775D9,SHA256=0B9D46FA1ADFABB04BE1D4B9A365B378577E68CCD04D1ABC2DA4AAFE414B9510,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005495298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:39.612{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49773-false10.0.1.12-8000- 11241100x80000000000000005495297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:53.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:53.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F43B9FD7E2BA521AB531AB1FD56EC04,SHA256=8202D7DA374A73879623B0C403384E460EB23FA21430CB8EE845E5403E461E56falsetrue 11241100x80000000000000005495302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:54.544{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:54.544{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B600538A7CFCB4CD4FB1DEE984D6392,SHA256=2F19010EB85AB835D961CAC8B6299672C11B92654A142734030B608A939E96D3falsetrue 354300x80000000000000001550770Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:47.770{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61709-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550769Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:54.469{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1116E0E4F949FBDB892B8A6FF8A2991F,SHA256=559DE30E412C2124947B96867C602059562C502AB35A564176BD4B4871E02B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550768Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:54.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBA33A5AC39AAFAB1C4281583D492BF5,SHA256=9AF4FA7848F1DE242375139F906D4D6BC1E711EA60766B8FECFFA579B5B391EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550767Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:54.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E910A727277F9E9CAADB6CD11DE7AE17,SHA256=F44824E8C804B6A6782F1916CCD9755EF3315769C75CADC2F1E7DBDBDF0D5FE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:55.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:55.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=59ABAAF2F6D601D438571425C3F9DB2F,SHA256=D7B39DF803E03CD416007CD08CEDBAF1DB437941A9575FA0E1223D8C957BFA08falsetrue 11241100x80000000000000005495304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:55.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:55.559{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D0241598A91EA3DD5048CB3DFEDC39,SHA256=FEEF8DF32D8A1D067EF08842DC96C98C5FCECADE530004B26C412A2B6196BC9Bfalsetrue 23542300x80000000000000001550771Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:55.471{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83DB57BB5156A563615F7100D444B3B,SHA256=5C51F11D76192A0CC1DA71FA4252269A95D8D2527699940133B9609A721D6A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550772Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:56.473{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A512C814CB232F4D07E03A799A50BE,SHA256=3DC26FCAA0C5E921497AC908AD088A49531F9444B42DF6CB5F9F2A3FFFF010C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:56.591{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:56.591{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5E3FF40D52AC14ED200D14AF1CD8F8DC,SHA256=8114F037C2BF2236A1BBE9F311F55118E4E75907D98978578772A7F293D93291falsetrue 11241100x80000000000000005495308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:56.575{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:56.575{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5913BD0CB82D98D614D3F75E5306015,SHA256=1E8BA13F54DCFA689753BA0943E15969F0BDF1A9E13157A1C09D4751E512DD1Dfalsetrue 23542300x80000000000000001550773Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:57.476{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BB50D63ECB37772E3DC614E06C2F9E,SHA256=D6650CA9C76881AA7230D28803060E56A18BBF3C3499F53A5EDC53A3D78D1A0B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:57.606{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:57.606{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E732008679EECA71E093331FDF94C9,SHA256=5E546BD7561CE79D491FB25E39A05526EC88AB001C90FF5DA44A557BB4C8D73Bfalsetrue 354300x80000000000000005495317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:44.612{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49774-false10.0.1.12-8000- 11241100x80000000000000005495316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:58.622{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:58.622{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBEC8FEDA8528D56B2003D2A1DED74F,SHA256=93346BB42015D3815FA510CC297B997CA2A8B4B15E044CE63E04E613C9C6F687falsetrue 23542300x80000000000000001550774Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:58.478{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D660EF25DB8906A509FED2252C60C338,SHA256=FA9467802C79230BDF399EAB128FF6D23C48DD12EC0052FA8CC215797BE20300,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:58.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:58.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=009DF46F21C94586E1251FB537B68436,SHA256=85C2368CB60A50B7E5F9272BEDE4B0397DB4C2DCDC6B7016F6EC5AF315F0E3A7falsetrue 11241100x80000000000000005495319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:59.700{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:59.700{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2B8AAD0F3F8A32CA6B64C5CFEC6230,SHA256=E004D7A1BA7AF9B2FF628B9B57D5856DBCB3DD1A70463AD12A4D7D12EA52DA07falsetrue 23542300x80000000000000001550775Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:59.481{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D945ACFE889F4D469992491B01268691,SHA256=1D350FB57D5F2AE4266A86050C9B50CEE1B366FA6F2962DD12063DD0FFF81D81,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:00.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:00.731{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C09C4F29387DC747B40205EC842F6D,SHA256=8D2CDE23EC2C741848690466927C869339AF6FAD46DB5CCD227D46FA738AB39Ffalsetrue 23542300x80000000000000001550778Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:00.483{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8BF5407F2D9F9A3D8A6D1BB6317164,SHA256=B041D38A05FAEB1F51CDFD75457231B256C67D9AA18ABE63FAF83ACCE07C4C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550777Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:00.114{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FADE6B04B9F4D49E81B7657822AA6FF,SHA256=C2B9724756D9CE308D753FAA76CC4F5469754B57B668673DACCEFC9C54E9B6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550776Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:00.114{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBA33A5AC39AAFAB1C4281583D492BF5,SHA256=9AF4FA7848F1DE242375139F906D4D6BC1E711EA60766B8FECFFA579B5B391EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:01.794{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:01.794{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE96808CBE84B87FDC3323DB90CEC65,SHA256=E0B3473B4B36D91E36DA32CEF1F5CA9D4C1D1F46D696E4CBC0C89F7A7CC9DD72falsetrue 23542300x80000000000000001550780Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:01.485{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D4FFC838D739BBC8CD5319DCF25CCB,SHA256=1D474F5C48A36B17E929E3EC512E85A1525C48BF4089197829AF3A83112E55E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:01.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:01.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8623F4003BD0930AFBA0F93118CC985E,SHA256=9E91BFA4490A0C497A2FCA171D3D8D1E09CE9B7D3E320E15184E195C5C8CCBF7falsetrue 11241100x80000000000000005495323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:00.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:00.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=46CE84AFF1DE9B8183CB12EB25FD56E0,SHA256=BE17030F2B06E174833E41D64F4086875E5E084D9D1934D36410E7CC84F29B85falsetrue 354300x80000000000000001550779Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:53.714{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61710-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005495329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:02.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:02.809{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEC1F2B2772C104AB4D03B7841EFB79,SHA256=41DA95DB96EC02DE257163963F5CD4BE32A1177D79E5218C89AA920503C4C79Dfalsetrue 23542300x80000000000000001550781Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:02.487{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC60588D4369B68B75733922D4EE16F,SHA256=65332432134A1289491B23DBD86CE0A31770F28EF3ADAD0E5F886B8474D864BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550782Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:03.489{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE876DD12BC3CE61BDE062DA11AA1EC,SHA256=47837EA60E60FB7C5578D08F4F1C1A3E4E3BD7B1C066A50D86F617B29A08538D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:03.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:03.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA354BB9C74036219D396190CD8FA723,SHA256=D0537FF4541E87A32F37718EFCC7E2A13FACD729258637328574FB87466BB7E5falsetrue 11241100x80000000000000005495338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:04.887{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:04.887{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A6F4130CAEA18360EC5AF9F9A21060,SHA256=12F2125EAB0426078D3D5480BFCA0143D8F4007801CEDF3DB84B6F782FAA655Bfalsetrue 23542300x80000000000000001550783Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:04.492{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4B0162BCA916EB2E718E6C84ADBC0C,SHA256=732E5FFAD205AE0DC8CF25C4CEEC8B7B552D04776244A8C0C13FDACB8865938A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005495336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:50.628{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49775-false10.0.1.12-8000- 11241100x80000000000000005495335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:04.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:04.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80E97847319B871ACB91AD4394D306CC,SHA256=B0037F82D8479AAA1932879872D115992ED0FC68867392DFE7E7DBE1BE924B9Cfalsetrue 11241100x80000000000000005495333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:04.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:04.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8B4D4149E1E4A39C6BE39C1A76830D0,SHA256=8DF7DE73810B2CE46105003AF9FA13F4BEAF35AEF164E8B16D2E95C0AAB58D8Cfalsetrue 23542300x80000000000000001550786Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:05.494{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E40199C93ED37A3ED2E693CF96B10A,SHA256=B4C43D0D3A4759D2F06270932E7CFD993B11089B0093D232D29FA1663B8A7AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550785Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:05.224{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=126802C2648A5201D121F9B4F2756586,SHA256=DA7A62F2EA9F0AB37A4CBCACE39CE90DA7510B8AA9E40C92B5A1AA012C07D3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550784Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:05.224{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FADE6B04B9F4D49E81B7657822AA6FF,SHA256=C2B9724756D9CE308D753FAA76CC4F5469754B57B668673DACCEFC9C54E9B6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550789Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:06.565{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=76DCBA9B8A7BA049F9C4433DE3D35996,SHA256=E7B2CD996CD74BB79E50325738165667ED7E4805A91A4D6719869E2DD9FDC3A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550788Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:06.496{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF7D63004253302F7702EA2F638770E,SHA256=7122DB0380E3B5F67796BFE619AC7C0A7A0F0FD3CC875B8AC408A64A2EF6BB35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:06.841{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:06.841{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80E97847319B871ACB91AD4394D306CC,SHA256=B0037F82D8479AAA1932879872D115992ED0FC68867392DFE7E7DBE1BE924B9Cfalsetrue 11241100x80000000000000005495347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:06.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:06.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7F63B90131D4E9818907664A7D9BB257,SHA256=C9A2B7FA26D4EC39AD9BED770F590E2022BE5EA7AE6413FD72FCA01ED7B3B0AEfalsetrue 10341000x80000000000000005495345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:06.137{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005495344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:06.137{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005495343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:06.137{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005495342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:06.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:06.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E146FEDCCA9329192C4345CCBD7967B4,SHA256=5B806D14F6D8336B43FF9CDD5FB27EB2A52761848806A41799D8775D8E4E6108falsetrue 11241100x80000000000000005495340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:06.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:06.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81136D900B681930C140A306B1FFAF75,SHA256=A9F70A3A78297DC60B66986466B8976F9E56A89D16FB4A0B5324232FB5AA2F0Cfalsetrue 354300x80000000000000001550787Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:39:58.794{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61711-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550790Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:07.498{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF0B6C7E7D079020EB50A6617FFA81F,SHA256=09B83E5187531069F88AC8865E422D739EC55AB9F3BDD4ECDD8AD256C20ED9B9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:07.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:07.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD82DA5030426DC99A24CF0ED77F29F2,SHA256=1270806BB25CFB413838D8E79A1B98C6FF5DA9C3E0B57548B6C7184685345E67falsetrue 23542300x80000000000000001550791Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:08.500{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B242C3FB48CD9D439DEFD3145ABFD02,SHA256=C3FDE007093A5998EFB858FF7A636032BE3A423A22BA5B74A8BBDC6DE97584CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:08.231{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:08.231{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4C711AF01B8F4BCDC2B60DFF01BB38,SHA256=8234D8A42FFAA718277E95DA914C071FC77A0F219DE0D0639F4F67CBFB0A9FA1falsetrue 23542300x80000000000000001550792Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:09.503{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15ECCB8A0D16DF23D3A78AC855E4EE3C,SHA256=9846097B7D5643362E2C347C5CB50ADC950622A142AB7D046EE3E490A46BA709,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:09.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:09.387{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887E23A3314F8373F962D7663252415D,SHA256=A65696F943838FD2467AB0B73E45D719B72126EEF94E0D128313DE18485D915Bfalsetrue 23542300x80000000000000001550793Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:10.505{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC2D73A9146D18F0FA70F5720549503,SHA256=AB173F92E72397BA580F29152688190D9D1BFEFC4CB91650F47A63B9D52CDD25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:10.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:10.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A059C0BA787D95C326F763BFFD71E111,SHA256=DAB2A9C99E22227034DC4ADA2D9EAAC535FDD18B62D558562B3AFA44800913FAfalsetrue 11241100x80000000000000005495357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:10.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:10.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A437246EA2B30B44717CCFF41EF34D61,SHA256=307341541D68710EA58FA62545813BB5AA7EFE1C6E608D9623F972FE971E2542falsetrue 11241100x80000000000000005495370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.806{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.806{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08D065E3AFCA51EEF7D448F51F542B11,SHA256=E40FE9B3D09777E10E2849ADE84EA96994C8D34B866A8DD4FEE260DCF440562Efalsetrue 11241100x80000000000000005495368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.774{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7D6AB2AD474C90B072126985FFF3F61E,SHA256=51959402815090BE598A53F16230439638F2891EF86695BC81D7E91AE8FED80Efalsetrue 354300x80000000000000005495366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:56.596{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49776-false10.0.1.12-8000- 11241100x80000000000000005495365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.431{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.431{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196EBC54212DCA9E707A73C6114DAEF1,SHA256=E9C7EF54E3920F39B413ED45321F340F0660715BAB9177EE7A921DCC8FE92BACfalsetrue 23542300x80000000000000001550798Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:11.960{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7F15D304976116E1E3F1B92C38745180,SHA256=A5E3ADA33BC58E64AB081E243DF2EDBC5AC87514FA72222FAC38C4592066B0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550797Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:11.959{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DCA3C902252671BB5138A1DCF704350D,SHA256=E7864D6DF2ED2DB87550A25175C2D88FF73BFB8071A23B463E9D1F58CF91F1F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550796Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:11.507{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE14F66B8EFC0FCB5D3890D63804BB99,SHA256=57E8A506099E9D94F19F8E35801520A7942FB705E8AFC9DDF67C50DD78614236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550795Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:11.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84879A34FD32606FA1474226AD0C6415,SHA256=0D980C91D460B5F7F528262200F891E51E95A221E93420418B070ACFDF7DFAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550794Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:11.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=126802C2648A5201D121F9B4F2756586,SHA256=DA7A62F2EA9F0AB37A4CBCACE39CE90DA7510B8AA9E40C92B5A1AA012C07D3F7,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005495363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:40:11.243{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005495362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:40:11.243{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005495361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.118{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.118{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B2FB6BBA1AB5B4AC91701239D88D64D4,SHA256=B671ABDFCD05CDFC048CACC25999699051E3F9FB885030393A3ABC05AC57B2C3falsetrue 23542300x80000000000000001550800Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:12.510{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA5B9EE3B9A71EA33257E4B6116C5DF,SHA256=3B3CFB814532DC8F078A3410D53AC71D54F5C143E64BDB22ED77FB995C835DF0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:12.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:12.540{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5206727A8EC86226D02EBA79D990E4C,SHA256=AAB0736D5020BA7AF52027383A632308AD8D645FDCA5F64E9D2A174FA83CED12falsetrue 354300x80000000000000005495372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:58.748{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49777-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005495371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:39:58.748{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49777-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000001550799Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:04.707{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61712-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550801Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:13.512{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CBAB7AA59F8ECC4D11DF59D9998682,SHA256=30F8E101F0E6A0ED0017EF6AF72C0CE14B78424A6955C6CDD61EE62750123564,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:13.556{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:13.556{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2539AF407624EB51E1354DECC7F3F4A,SHA256=018DFD432A1F169A506219CE9080A094062EA76DF7A1385499E6BF4AF65B6D8Afalsetrue 11241100x80000000000000005495378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:14.587{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:14.587{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB15668FD9A619C2E597395257A1059,SHA256=07093787B46B3705AD55E16BF565FEA2B94718FC33AA1B7D36F10033585253EAfalsetrue 23542300x80000000000000001550803Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:14.784{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550802Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:14.515{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45885CBECC62CA00DB588793F7582355,SHA256=56736CB8C0628B6D743EF548044711FD18451A35D49FB46B05CDA1D08BF810F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550805Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:15.767{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84879A34FD32606FA1474226AD0C6415,SHA256=0D980C91D460B5F7F528262200F891E51E95A221E93420418B070ACFDF7DFAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550804Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:15.517{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73D971A3BBD48305B1AA6D14D79D1C0,SHA256=C525A68273FB259AB4F020508E65B70EDB21BBAF9E88D98CB3B7E843E55DD7C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:15.603{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:15.603{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC4C2A3AF3E5EE2505B78F959525644,SHA256=1028A884D4BF089ED55D3E4DF0F43014DE855BBBA9908B1337B0329E5FFF2964falsetrue 11241100x80000000000000005495389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:16.837{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:16.837{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D095AD52A8AB9691D8D7B4E3C1C40292,SHA256=386A2EE4CCBF43605ACAC96FB83874D89CDB016835482AAFFDA4B8E307B3AF31falsetrue 354300x80000000000000005495387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:02.639{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49778-false10.0.1.12-8000- 11241100x80000000000000005495386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:16.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:16.618{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D89F1C316CE8F012F97A3C7F4C412FE,SHA256=BEC963C0FCCDDDC6B89D002D49E694E888366DB55778659B9C284252208B6A33falsetrue 10341000x80000000000000001550815Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:16.835{AEE49BD1-11A0-6139-9ED0-00000000F101}27243296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550814Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:16.720{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11A0-6139-9ED0-00000000F101}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550813Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:16.720{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550812Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:16.720{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550811Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:16.720{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550810Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:16.720{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550809Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:16.720{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-11A0-6139-9ED0-00000000F101}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550808Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:16.720{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11A0-6139-9ED0-00000000F101}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550807Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:16.705{AEE49BD1-11A0-6139-9ED0-00000000F101}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550806Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:16.520{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D664286ECA59153FCAC04AD452D393DC,SHA256=078BDBB67653E8C8F441F763A2FF85F30F8F5F8512F1FE078A46861944374ECC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:16.149{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:16.149{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF6A48FC2F094D15C933419FA4765BEB,SHA256=55479350CD9596B2C63C8284E6389C65F55FA78D4F4521F15EE25C527309ACD7falsetrue 11241100x80000000000000005495382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:15.993{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:15.993{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=29C8C514C65498FF66BA76F7F7D1DEA3,SHA256=407A74B334E4A0175032DF72136931BE9AA99EA5223C82C2838555FCBE0C1455falsetrue 11241100x80000000000000005495391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:17.696{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:17.696{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD85B167879A665B8C203F5A31AFA45,SHA256=C25ED54648667C52EA78885F9703092C4CDFCAE1362832B694B45895E657F031falsetrue 10341000x80000000000000001550835Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.951{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11A1-6139-A0D0-00000000F101}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550834Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.951{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550833Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.951{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550832Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.951{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550831Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.951{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550830Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.951{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-11A1-6139-A0D0-00000000F101}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550829Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.951{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11A1-6139-A0D0-00000000F101}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550828Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.936{AEE49BD1-11A1-6139-A0D0-00000000F101}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550827Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.535{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25C372AC478BDD82D88D5D1624D7432,SHA256=128A0967299412C34BE3B1AEBA3248FBDE7DDB2FEF6E71C071DCBA912EB432BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550826Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:10.706{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61714-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001550825Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:09.365{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61713-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x80000000000000001550824Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.251{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11A1-6139-9FD0-00000000F101}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550823Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.251{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550822Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.251{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550821Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.251{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550820Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.251{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550819Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.251{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-11A1-6139-9FD0-00000000F101}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550818Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.251{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11A1-6139-9FD0-00000000F101}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550817Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.236{AEE49BD1-11A1-6139-9FD0-00000000F101}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550816Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:17.135{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34F7B16DAA2A2F77670596B607E206DC,SHA256=5037BDE1ACF700994D1CDDEE3F1B23CA79331619FBD8768903A03652A87A0666,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:18.712{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:18.712{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809617B0663B83B3DCA1CEE0C0D2BD7D,SHA256=AE2186DF869056BD53A1F0BE35A0ED92668403A6CE56D3789988E103057FB3BAfalsetrue 23542300x80000000000000001550837Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:18.536{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB196B6A7FC522033473CFEEAB21A7C0,SHA256=812C85A2B17FC77622C9FD2BFA43292FD54C9F1F0EFFA0B5A2D6859463A1FAFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550836Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:18.236{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CBA064B5DF4AC33C91B211DAE5D28E5,SHA256=D4A78E8F83FF8231E62ED0622E214E724108D86B204E4491D652F7210EF112EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550838Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:19.538{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EB94FA0EA44512EA4320E94A4DB095,SHA256=8CF2E76184EA1C55271063CE3CB67C0732FF4780AE376B198A116EFD9247AD2D,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005495449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.571{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005495448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.571{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005495447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.571{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005495446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.571{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005495445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.462{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005495444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.462{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005495443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.462{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005495442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:19.462{4DF467A6-11A3-6139-A5D6-00000000F001}3264\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005495441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.462{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005495440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:19.462{4DF467A6-11A3-6139-A5D6-00000000F001}3264\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005495439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.462{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005495438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.462{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005495437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.462{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005495436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005495435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005495434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005495433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005495432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005495431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005495430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005495429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005495428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005495427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005495426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005495425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005495424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005495423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005495422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005495421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005495420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005495419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005495418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005495417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005495416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005495415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005495414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005495413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005495412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005495411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005495410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005495409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005495408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005495407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005495405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005495404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005495403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005495402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005495401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.446{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005495400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.431{4DF467A6-11A3-6139-A5D6-00000000F001}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005495399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:19.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:19.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:19.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:19.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:19.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:19.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001550839Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:20.541{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294951FF3F4E296001CA7A1AB8E8555C,SHA256=1D27A95A7DE4D4E85239B45F98DA459F0F2811AADD25D00E642BC984F223E24E,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005495567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.946{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005495566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.946{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005495565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.946{4DF467A6-11A4-6139-A7D6-00000000F001}35046136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.946{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005495563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.946{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005495562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.853{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67F7C49319A38AEE72D4B0A95647EB9,SHA256=91014F9EB35FD65A221222DD631EF66DC3CB727D66CF5B6AB2321EAEA4FC0678falsetrue 734700x80000000000000005495560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005495559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005495558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005495557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005495556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005495555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005495554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005495553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005495552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005495551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005495550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005495549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005495548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005495547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005495546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005495545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005495544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005495543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005495542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005495541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005495540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005495539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005495538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005495537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005495536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005495535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005495534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005495533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005495532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005495531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005495530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005495529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005495528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005495527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005495526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005495525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005495524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005495523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005495521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005495520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005495519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005495518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.821{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005495517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.806{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005495516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.806{4DF467A6-11A4-6139-A7D6-00000000F001}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005495515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:20.806{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:20.806{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:20.806{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:20.806{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:20.806{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:20.806{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005495509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5968AFADB4B28068597A9524AA7ECD44,SHA256=69B416857BE0CFD8D549BF1D169D164DF91A51129A5A9B053A6041C00FCFD0A1falsetrue 11241100x80000000000000005495507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.274{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.274{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59CA067EEAD6BEF4F9333B4930597CEE,SHA256=1E03523A469597D72E561CD79AF6E7B2DC0276A0D215AC96BAFAF587C7DC7243falsetrue 534500x80000000000000005495505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.259{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005495504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.259{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005495503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.259{4DF467A6-11A4-6139-A6D6-00000000F001}1428944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.259{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005495501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.259{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005495500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.149{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005495499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005495498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005495497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005495496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005495495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005495494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005495493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005495492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005495491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005495490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005495489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005495488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005495487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005495486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005495485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005495484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005495483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005495482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005495481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005495480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005495479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005495478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005495477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005495476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005495475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005495474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005495473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005495472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005495471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005495470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005495469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005495468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005495467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005495466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005495465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005495464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005495463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005495461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005495460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005495459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005495458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.134{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005495457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.118{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005495456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:20.119{4DF467A6-11A4-6139-A6D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005495455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001550840Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:21.543{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFF225173618D6D45BC7121229F6316,SHA256=E38CF1409719E3617065829C5019D09940B87CAF5D6C50AF9A035AA38BD31C15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.884{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.884{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6EC9C1B75AD724B2DD324B22C89D6105,SHA256=3FB15EB81EB8C7CA063804F7FD9D6634BBC1AE36C1D38EA863768D5ECC161D26falsetrue 11241100x80000000000000005495629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.837{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.837{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4A18293045C8B629FD38CD9DAB2BBDE,SHA256=D3AD293328911E6E1D1E39A675B4C66341768AEC6C523E7D07F2D0D42F653185falsetrue 534500x80000000000000005495627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.509{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005495626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.509{4DF467A6-11A5-6139-A8D6-00000000F001}66204428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.509{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005495624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.509{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005495623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.399{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005495622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.399{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005495621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.399{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005495620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005495619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005495618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005495617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005495616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005495615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005495614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005495613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005495612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005495611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005495610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005495609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005495608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005495607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005495606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005495605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005495604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005495603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005495602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005495601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005495600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005495599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005495598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005495597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005495596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005495595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005495594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005495593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005495592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005495591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005495590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005495589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005495588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005495587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005495586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005495585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005495583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005495582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005495581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005495580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.384{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005495579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.368{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005495578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.369{4DF467A6-11A5-6139-A8D6-00000000F001}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005495577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:21.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:21.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:21.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:21.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:21.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:21.368{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005495571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.149{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.149{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72319A2C522E5561171270222E9964E,SHA256=A18D8D3A1F05C6400252A4265DD83F17532B05385EB3975B798D8013B1F2AB1Afalsetrue 11241100x80000000000000005495569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:21.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E5E127D48471F3F4E8AD41632D57F7BB,SHA256=F25EEDD84BD2F909714AFD333D1F0C083B080002201164B542A1100094163123falsetrue 534500x80000000000000005495752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.884{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005495751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.884{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005495750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.884{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005495749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.884{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005495748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.774{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005495747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.774{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005495746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.774{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005495745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005495744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005495743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005495742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005495741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005495740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005495739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005495738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005495737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005495736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005495735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005495734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005495733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005495732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005495731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005495730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005495729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005495728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005495727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005495726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005495725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005495724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005495723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005495722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005495721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005495720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005495719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005495718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005495717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005495716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005495715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005495714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005495713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005495712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005495711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005495710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005495709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005495708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005495707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005495706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005495704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005495703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005495702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.759{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005495701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.743{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005495700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.743{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005495699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.744{4DF467A6-11A6-6139-AAD6-00000000F001}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005495698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:22.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:22.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:22.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:22.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:22.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:22.743{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005495692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.368{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.368{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12F65C7A5A455DDB0F6B8CA0265D23F,SHA256=2EA29B8358AB83ADE4995C3680B245160B79312074016C9A40BB8EB7CB80CE77falsetrue 11241100x80000000000000005495690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.353{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA05BB091756FF4DB2FA232B8056419,SHA256=C94470D0A04A8E2DFC952617501C5C4151A7374073C0B7C9387052C0773EAB7Afalsetrue 534500x80000000000000005495688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.196{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005495687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.196{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005495686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.196{4DF467A6-11A6-6139-A9D6-00000000F001}71407220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.196{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005495684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.196{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001550845Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:22.661{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550844Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:22.661{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550843Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:22.661{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550842Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:22.546{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743EABFDDBB7E731957B2A3AF169FA98,SHA256=9AE6CC485D305B9792EE66FFA25276E2111F71607712C703BB8F6D14CDED522E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550841Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:22.199{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4463BAE6196D4E53E9FDE75C500FFE56,SHA256=7D683B9E7686EECAFF6CD9A6A68740EDA9538AFA06670FB44D36F01D73DD0D46,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005495683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.087{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005495682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005495681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005495680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005495679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005495678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005495677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005495676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005495675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005495674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005495673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005495672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005495671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005495670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005495669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005495668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005495667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005495666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005495665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005495664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005495663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005495662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005495661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005495660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005495659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005495658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005495657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005495656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005495655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005495654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005495653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005495652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005495651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005495650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005495649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005495648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005495647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005495646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005495645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005495643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005495642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005495641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005495640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.071{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005495639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.056{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005495638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:22.056{4DF467A6-11A6-6139-A9D6-00000000F001}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005495637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:22.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:22.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:22.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:22.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:22.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:22.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005495813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.571{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005495812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.571{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005495811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.571{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005495810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.571{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001550847Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:23.548{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F5DAA537FD7F1A198901FF5A258876,SHA256=6EE680F093A5ADD4EA732B762E3736A5240A3DDBAEA27DA6CC0F8655C47A5E6B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.509{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.509{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982D8F381B3809711FB205DFAB5858B9,SHA256=EB4E68B7F900250CD2CB6CCF841D051D346F2E6FD24889E0FD024E667F89C55Ffalsetrue 734700x80000000000000005495807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.462{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005495806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005495805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005495804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005495803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005495802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005495801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005495800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005495799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005495798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005495797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005495796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005495795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005495794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005495793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005495792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005495791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005495790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005495789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005495788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005495787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005495786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005495785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005495784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005495783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005495782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005495781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005495780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005495779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005495778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005495777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005495776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005495775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005495774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005495773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005495772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005495771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005495770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005495769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005495768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005495767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005495766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005495765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005495764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.446{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005495763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.431{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005495762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.431{4DF467A6-11A7-6139-ABD6-00000000F001}7292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005495761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:23.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:23.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:23.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:23.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005495757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:23.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005495756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:40:23.431{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005495755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.087{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:23.087{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E4B6119D0213DA64EDFEFF58E49DAA9,SHA256=B53244366C493968BDDFC720CA117D01E0EB7352E0A0BD5A979FC1466CA50B47falsetrue 354300x80000000000000005495753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:08.576{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49779-false10.0.1.12-8000- 354300x80000000000000001550846Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:15.780{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61715-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005495832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:24.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:24.647{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD65EE05C2E6E43A78E274CCDA1E8F0,SHA256=E4A4187F47C34B00E80B1F92B2FB447D2605252625B99905168CA61705E24FCEfalsetrue 12241200x80000000000000005495830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:40:24.459{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005495829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:40:24.459{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005495828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:40:24.444{4DF467A6-3F58-6132-2D00-00000000F001}2968\lsassC:\Windows\system32\DFSRs.exe 13241300x80000000000000005495827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:40:24.444{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 12241200x80000000000000005495826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:40:24.444{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000 11241100x80000000000000005495825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:24.444{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML.TMP2021-09-08 19:40:24.444 12241200x80000000000000005495824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:40:24.444{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 13241300x80000000000000005495823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:40:24.444{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Config SourceDWORD (0x00000001) 13241300x80000000000000005495822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:40:24.444{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML 12241200x80000000000000005495821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:40:24.444{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 11241100x80000000000000005495820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:24.444{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML.TMP2021-09-08 19:40:24.444 11241100x80000000000000005495819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:24.444{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:24.444{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8438C8AAE0B835ABBFF2BADB5DB86EAE,SHA256=F9EF5273892362C8640541F81E482214BF952209399BD4F09A83E88AA9F4A10Ffalsetrue 12241200x80000000000000005495817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:40:24.444{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000001550848Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:24.551{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E557F85AE2B45BE79FEF1770207402A,SHA256=ECD880FF321790B62CC49DB2D4D351455F278380003C1ABC6004DC7F358F03F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005495816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:24.262{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7265MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005495815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:24.260{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-72652021-09-08 19:40:24.260 11241100x80000000000000005495814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:24.259{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-72662021-09-08 19:40:24.259 354300x80000000000000005495844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.967{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49782-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005495843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.967{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49782-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 11241100x80000000000000005495842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:25.787{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:25.786{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F76FC3AB5BDCFA4C27EA1D8C7695C26,SHA256=B02F14659CB1D314FBB3EA48CE70031A723D3B933CF926FF90C52E8DA177A468falsetrue 354300x80000000000000005495840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.962{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49781-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005495839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.962{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49781-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005495838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.949{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49780-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005495837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:11.949{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49780-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 12241200x80000000000000005495836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:40:25.472{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005495835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:25.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:25.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590ECBB74024433BF49186B1F3F4DCA1,SHA256=1F673E9AC9EC693E6DD47CFB0D6F88DFE09256D2495791C9122C64786FD4751Ffalsetrue 23542300x80000000000000001550849Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:25.553{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F39BE3DCB79B46664A0466862D17185,SHA256=C97F102FC9FDFDCEE58242A9023F2BC3E1ECE72092CE661C3401C90A2342DEA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005495833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:25.272{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7266MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005495852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:26.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:26.991{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3103A738D486E5A3EABB6608A64D5F8C,SHA256=F8ADCEC90C530BBEC8D6D9A252A9014E5A2D0ED8BA307F4F0F3871EB7F459D5Cfalsetrue 11241100x80000000000000005495850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:26.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:26.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=303EC44F1ADA499F131018FA393AECCE,SHA256=6F487894CCBA61FB0935527046AC5BEB58E004F1D621EDB9FFEAB60769DA100Dfalsetrue 11241100x80000000000000005495848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:26.475{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:26.475{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD19C6D40E8AABB4A1BC9CFB822D601,SHA256=999A2E082915A63F3021715569B1EB9D01841E8918B023C55465A8E04B49CE29falsetrue 11241100x80000000000000005495846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:26.147{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:26.147{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3FA28EEC79856523191AE3BA3763BD48,SHA256=B43559C4D6FE0311ED6AD7A26AC3BCC0F2EAD4E97A624E83A760AE601A11C061falsetrue 23542300x80000000000000001550850Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:26.556{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4CAEC60A0C447808CC4F84429EAF02,SHA256=43EAC1EC0F0CC6AC03EAE4F6433F05191D82A0884516F2290BB3CF887BF64E1D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:27.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:27.491{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3036F1C9695E4CACACA0E08622ED208E,SHA256=B162C309796D1EC7C5EBF9C4D9A26AF5213542982CC4290BEA7FB20174509D05falsetrue 23542300x80000000000000001550853Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:27.558{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8913FA8B83B1BBE1AE65C6C56AD6D0DC,SHA256=3FDE02B61861C3ABA5BA72583445CEF3922AC0A038FE8999A170F4F2F3F93579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550852Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:27.227{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7693294CA50B8D1A2070CDAEFA04E426,SHA256=3FC64D016CD3B8683D13EBDC43CC71359F7EA79C649D6146C63BE9404E98F678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550851Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:27.227{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DF4F23EA70814983DDF6BE64470F2A0,SHA256=911ADA22C1A1C744159EC38F81E0B6425303F5E47A2D8D537E33EABF9E462B82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005495857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:13.605{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49783-false10.0.1.12-8000- 11241100x80000000000000005495856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:28.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:28.507{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9176EA50BDA61787DA87C757E9D64413,SHA256=2ADDCDE1878FC544AA914716E011BDCA14544212605A7BB90E416AA191968DBEfalsetrue 23542300x80000000000000001550855Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:28.561{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72162E5CF86840D269B847BA138ABCFF,SHA256=1976B15902624C49D42F06D16414AB1E479F010A43FEEB5593FAF034B9FE1522,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550854Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:20.828{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61716-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550856Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:29.564{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3F2DC44B90785D44AA4F8F27681479,SHA256=FDEB1CD36BE2CD2513DB4D3F5E5807B016BABA44E25B10343ACD82E71CF30DBA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:29.538{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:29.538{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE07590FD90585A2E055868F250E3C2,SHA256=E480FD6C4B58C0F849CEEBD77AA3570C7EAE775640A7DCB8483F92C1EDDD3EC4falsetrue 11241100x80000000000000005495863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:30.967{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005495862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:30.967{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=60EC0507B49A8473FD28F6D90B54CBC2,SHA256=E3E7EA53735895E4F34661D97A9E0A029DE34AB3E430A65FF9F7FA99FC007DD4falsetrue 11241100x80000000000000005495861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:30.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:30.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2343BC39723192B41E55EE852EF41C52,SHA256=15D17C2BC1EB1B78AB7D450996B3696DE926FC388E63C03816980757F401BAC1falsetrue 23542300x80000000000000001550857Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:30.566{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBBCE8094FC7BF9F6045EA69DCC0CFE,SHA256=C0C35FBDF444544CE15E0391F79434B7F121CEA5659CBCE98F5E8F2C28570D62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550867Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:31.737{AEE49BD1-11AF-6139-A1D0-00000000F101}55123920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550866Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:31.605{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11AF-6139-A1D0-00000000F101}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550865Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:31.605{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550864Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:31.605{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550863Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:31.605{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550862Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:31.605{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550861Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:31.605{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-11AF-6139-A1D0-00000000F101}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550860Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:31.605{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11AF-6139-A1D0-00000000F101}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550859Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:31.600{AEE49BD1-11AF-6139-A1D0-00000000F101}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550858Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:31.568{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF710ACABDFBADB2437BAF7E134B35AE,SHA256=7C515BFDAE7F6B5DC78DC6AE9B3D4C5F9E54345473A89A91214135E31543EBBD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:31.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:31.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E77F7DD8420B7882129D449E9B30BFCF,SHA256=1A37BB7FA53A3F6F2334050F21E2812814AE10AA02B93E255C115B15DC8ED09Cfalsetrue 11241100x80000000000000005495869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:31.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:31.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23367947961B08C0DDCC4DAD7B7D851C,SHA256=C53581067C664E246DE2E3E5C0B36EA3B4B88D204B4B45917E7502249D4823E1falsetrue 11241100x80000000000000005495867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:31.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:31.639{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164F3081655383A1A29554731A99C72D,SHA256=111FE64A488CEE04B8CD4FB8F0F268B69198E73E3AF915CF1EB4CB64126AD675falsetrue 11241100x80000000000000005495865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:31.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:31.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6A27B981CF47FBFB7CBDFB61BD1DC41D,SHA256=066534AFA78F4DD5D67B585F79E130F276A9F8B60B8B8F716CB1CEDA3CC9F47Afalsetrue 11241100x80000000000000005495875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:32.654{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:32.654{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13A78464EB4CCD85350FD48411F7F60,SHA256=A2123F72913DCB0E0036FE6B60C857149736A118D385C63203F64079E09A36BEfalsetrue 10341000x80000000000000001550887Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.985{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11B0-6139-A3D0-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550886Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.985{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550885Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.985{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550884Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.985{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550883Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.985{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550882Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.985{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-11B0-6139-A3D0-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550881Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.985{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11B0-6139-A3D0-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550880Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.970{AEE49BD1-11B0-6139-A3D0-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550879Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.622{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C834CAF957EEF43C4CEB91E6C03DB9CD,SHA256=57FF9095CA79E71E1A622B251209A514C970F368DF76660745B521CE60ED32CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550878Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.622{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7693294CA50B8D1A2070CDAEFA04E426,SHA256=3FC64D016CD3B8683D13EBDC43CC71359F7EA79C649D6146C63BE9404E98F678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550877Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.568{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6535D12B251C5CE8E19BD9D8C0F6E004,SHA256=746B0A63C5E9DE77941DEBA2528B7B1F785B0B282F06E41AF8856805B836551B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550876Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.406{AEE49BD1-11B0-6139-A2D0-00000000F101}31045888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550875Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.285{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11B0-6139-A2D0-00000000F101}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550874Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.285{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550873Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.285{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550872Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.285{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550871Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.285{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550870Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.285{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-11B0-6139-A2D0-00000000F101}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550869Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.285{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11B0-6139-A2D0-00000000F101}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550868Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.269{AEE49BD1-11B0-6139-A2D0-00000000F101}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005495873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:32.029{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:32.029{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=99362442171107BCC05685D5EA68F89A,SHA256=C092913E619762FD59116914ECAEC101CD37AA0F67FC225AE800FE02C4827EE5falsetrue 11241100x80000000000000005495879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:33.685{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:33.685{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF49E3089124C69290ED2B41EC931408,SHA256=F489565C8B59C865A614557D5BA7EC8880592407F7EFDA238B795A80C79C8769falsetrue 23542300x80000000000000001550890Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:33.570{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03686E73264438F498938F618ED2C592,SHA256=3A409E531779C25A1ABDF6BEB2A318A0F93EF1021B1628A60BF1B4D45B710666,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:33.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:33.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E77F7DD8420B7882129D449E9B30BFCF,SHA256=1A37BB7FA53A3F6F2334050F21E2812814AE10AA02B93E255C115B15DC8ED09Cfalsetrue 354300x80000000000000001550889Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:26.841{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61717-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001550888Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:33.107{AEE49BD1-11B0-6139-A3D0-00000000F101}19085856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005495882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:34.732{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:34.732{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8563B96D45830E68213C31BD8DDEE5,SHA256=EC47262EA38B32833CDB729A256CEE2028998341C5E7E3BDA741C455E857DF1Dfalsetrue 23542300x80000000000000001550892Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:34.573{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8ACC8A68375F9B0C51C59E04E7D0BF,SHA256=2442681EA7601CDD2E7E6EC5D361C6E535E493C1C74D5A9C1898A9E5FAF02077,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005495880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:19.565{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49784-false10.0.1.12-8000- 23542300x80000000000000001550891Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:34.005{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C834CAF957EEF43C4CEB91E6C03DB9CD,SHA256=57FF9095CA79E71E1A622B251209A514C970F368DF76660745B521CE60ED32CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:35.764{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:35.764{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797202F25D601E46FB7C4511B0DFFEBA,SHA256=5914F1B35BA4AFB4F6A1D222B66CC783FD88DDCF226C380F009A827C0A7128A5falsetrue 23542300x80000000000000001550893Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:35.576{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E36AFDEE56150A5E5B6AA283952A266,SHA256=E70A706ADA6263CD982FEF0876857A4FAB8E705F8FC441BC2A3B024650D31D69,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:36.810{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:36.810{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BE290B81A7206BC687FFBC14BD8050,SHA256=1B67B60CD00687CC7F35F297A16685609A43639A3FD5FBC2ED585B7CE5808AABfalsetrue 23542300x80000000000000001550894Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:36.579{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16407C4A56D73E505039D258B3C2EA1,SHA256=CC78F3D942BF71089A4CFB0BD2AAC9F1246654C7D677E23FEAF2C292E8904814,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:36.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:36.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D55ABB6A4C04C42067C60562508BCC86,SHA256=DE76AEB0D0F4DABC57705F1490DC416EFA3CE92595CA21CD3584067A0D75BB67falsetrue 23542300x80000000000000001550895Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:37.581{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A851ED555233B523E2F66CF168EF1E,SHA256=84BBABBBD839A6022925BA7F7772016F5CBA50C45F69C64CFE8D92FF4B4BAC84,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:37.826{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:37.826{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3384459AA6DB8B2827A58FA40B541BC3,SHA256=2FAA2F3C7373863E18FEA10F51B6382D3C3C14783C01A6A9F2FAD1DB19054C4Dfalsetrue 11241100x80000000000000005495890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:37.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:37.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=906657E8CE6C221E25D9CED25BCC3DAD,SHA256=BAF1C6206F0346A3489E7A478CD701CC71B9118B0BE2F3087E24899E33C0ADEBfalsetrue 11241100x80000000000000005495894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:38.857{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:38.857{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB8986464B971008558B760541D13CC,SHA256=72CDDEFF628229F0049534822A20DF771317776AA76C0CCA3CDBDFB67E4D8D8Cfalsetrue 23542300x80000000000000001550896Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:38.584{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1BEE32A5B6B1163CF6E8D643161FE3,SHA256=0E10CEA0C5C279B506C95CD87E28B619E966BD9AC28809D32AAA890D3516486D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:39.889{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:39.889{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC94167425CAFCC2FFEF21E75C40C48,SHA256=861A68B57068C50312ACF3EEA395926DE05164C572133A316EAFB173BDA70422falsetrue 354300x80000000000000001550901Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:32.855{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61718-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550900Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:39.586{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16AC68602DD277A68B9D5901BDCF22A,SHA256=B95E6954B344B515332146C0BBAD488DC34E06738D98028299EEEC0F78960FC5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:39.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:39.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC6B1750A362AD5D9DFC728BE33687B9,SHA256=C25848C5470A56BB92DA47052A7CCAB5C83CC60E53EDEF6F8D7C2C6D3F9B131Ffalsetrue 11241100x80000000000000005495896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:39.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:39.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EBE79B0A82B25927C85CFB0A4A49CDF,SHA256=D092E68DEF512E0EE3F341C5C504E2CC3D2F559C7CAFC48986E9B886BC1B67E4falsetrue 23542300x80000000000000001550899Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:39.371{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7256MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550898Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:39.254{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=122CD67AA4C6662425074EFCAC5AEC98,SHA256=B91E52E1FB15C617B2A2E70B133D8ADE94F209A0BD897E781A279083F862744D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550897Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:39.254{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF4217CC2D182127842D8F820B729E68,SHA256=BCE7A9A35A35698F07A42765CD246C5F7E314C402F85B9DE904A96F6A83D7819,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:40.935{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:40.935{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD086E95755445FED4496FE38E8F0DB,SHA256=AB20FDDC589850C9646D20A9CD569CFB14407C7CE8392B05BF43D94026A31BFAfalsetrue 23542300x80000000000000001550903Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:40.587{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FD1AA0798DC87176CAD9B118DD26A4,SHA256=09B2C2D720EBFFF4793BCBFF0E2BE467432DFF7F62A92D1F34635573ED072426,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005495901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:25.580{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49785-false10.0.1.12-8000- 23542300x80000000000000001550902Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:40.372{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7257MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:41.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:41.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6161ECA21FD243B67D9B2B0F6938051C,SHA256=6C0D77B00FF40217631809F9D434A217E16D5B9DF2B236811E6E523E3E1FA672falsetrue 23542300x80000000000000001550912Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:41.588{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC0B3F847DC2C5FF4BB34B83842714D,SHA256=67A1551313C06663FD352F625CE44059CE0306B45813AAA0A850EE7EE2767B73,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:41.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:41.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=721D09F09BE1C1948A4F916452255C01,SHA256=49A66D7FED80A7DE2F01121975AC747516AF5E8ED76A88C0D86596E80901358Cfalsetrue 10341000x80000000000000001550911Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:41.522{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11B9-6139-A4D0-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550910Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:41.521{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550909Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:41.521{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550908Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:41.521{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550907Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:41.520{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550906Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:41.520{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-11B9-6139-A4D0-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550905Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:41.520{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11B9-6139-A4D0-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550904Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:41.505{AEE49BD1-11B9-6139-A4D0-00000000F101}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550914Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:42.590{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCC08F8250FF70182B54CA5AEA03C49,SHA256=39B3FAAF7BF8BD7203587B1B53D3D00B85A7044B2976BCBC19B78D345319C29A,IMPHASH=00000000000000000000000000000000falsetrue 24542400x80000000000000005495914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:42.467{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=17F76E75F885C2B29C37FFBF3F61EC91,SHA256=9C0C9D88B887E3E5B41216B2A2127BBBFEEAFB3E957FD8657395238C596D36F6true 10341000x80000000000000005495913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:42.467{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005495912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:42.467{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005495911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:42.451{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeC:\Sysmon\CLIP-17F76E75F885C2B29C37FFBF3F61EC919C0C9D88B887E3E5B41216B2A2127BBBFEEAFB3E957FD8657395238C596D36F62021-09-08 19:40:42.451 10341000x80000000000000005495910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:42.451{4DF467A6-3F58-6132-2B00-00000000F001}29486000C:\Windows\sysmon64.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005495909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:42.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:42.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4A2488EDE6E58064C7CB6C43C150039B,SHA256=FFBBBE4117B0C1376FF636EC5629CB0B318C70FBD64325519D25E22CEDCC1D13falsetrue 23542300x80000000000000001550913Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:42.506{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=122CD67AA4C6662425074EFCAC5AEC98,SHA256=B91E52E1FB15C617B2A2E70B133D8ADE94F209A0BD897E781A279083F862744D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550915Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:43.592{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC38B65209B6061A3D0A4C5A5CE84031,SHA256=0772D9591E18B7F8E611E119D145E0B9C45A82A32DE22625E5FF349D140F91DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:42.998{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:42.998{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C2C3FFCC707A46221FB3772468D24F,SHA256=0B2800609D1929AE1AA758B24D407157EB74C0B72AEDF7EA5657AA0BD6D43660falsetrue 23542300x80000000000000001550916Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:44.595{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41200EB5F54D497CBC4E959FE35FFDEF,SHA256=2B4231C29F392510BF69CD3603319B01261B50F7D0235D1A3257181A1BDD89D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005495923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:30.736{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49786-false10.0.1.12-8000- 11241100x80000000000000005495922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:44.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:44.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8ACFCF0011437E2660A57A52F820452,SHA256=666CB43FB53D7CE2AEFD5F7E2F6DCFFEEEAA3E0541F03A2F14344DE113C74225falsetrue 11241100x80000000000000005495920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:44.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:44.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC6B1750A362AD5D9DFC728BE33687B9,SHA256=C25848C5470A56BB92DA47052A7CCAB5C83CC60E53EDEF6F8D7C2C6D3F9B131Ffalsetrue 11241100x80000000000000005495918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:44.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:44.014{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571023D88D5A7C3952461C487364D414,SHA256=0EBFD27136402284E1FD6F1B1A6E363CD93D5DE6C7DD3F5CADE2B83F45644D45falsetrue 354300x80000000000000001550919Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:38.612{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61719-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550918Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:45.597{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9850813EFBAD2552D265109754C9647B,SHA256=8E451193DCBDA87D57EAD50C2FFF3C69C665BE033CF5AB5ED9994047822BABD0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:45.029{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:45.029{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC68851CE60B575A4654843ACCB0F3AC,SHA256=80937654852692E946BD1EACE75456BF3067C7B174794114DABDD786380A15BDfalsetrue 23542300x80000000000000001550917Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:45.011{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=697D92FC4B399C652BC0015FD5282D14,SHA256=3E9FF2D340FCBFFC0C80EE4E43B92A17B265CB302B00E808EC9BBC7D65C5D61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550920Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:46.600{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B882CF177FE931BCF8E25CA65298109,SHA256=514E852E2E740CBEF0AAEB554DBB25AF0A960BB4C23579C3324E369615B3BDA7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:46.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:46.873{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8ACFCF0011437E2660A57A52F820452,SHA256=666CB43FB53D7CE2AEFD5F7E2F6DCFFEEEAA3E0541F03A2F14344DE113C74225falsetrue 11241100x80000000000000005495929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:46.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:46.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AF4CC326F145DE847D75D0D28CF3BD11,SHA256=92A3FC829D34D8AAC67C694576AAC6C05C125EA37B6582989473856EE1157E15falsetrue 11241100x80000000000000005495927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:46.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:46.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB5C723B04CAB11AE1B7CAD99DB09CD,SHA256=B87809B707EF4BF63683143EADBF4556ECE8FA5CD851AFF5B3D90EA1E20DB3BBfalsetrue 23542300x80000000000000001550921Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:47.602{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F855B9C12A52644A93D329E62DFF32A,SHA256=9B920C43EDD00B6DC3FA14933AFDA53E81F8F2A4AE611535656F9BEE0624F3D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:47.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:47.217{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=63EB9F3E3E16EF5550A2914004F67392,SHA256=0667B271BFDE47C281143F3049012FA0DBBB70E192EBCF1EF644B27E39CA6649falsetrue 11241100x80000000000000005495933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:47.107{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:47.107{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B480B7F574547FABCCFB8F2CD323E4D2,SHA256=F0053BDC20619B027C17D81B7327AB095EE482B635CF04707AE1A43207A18FB5falsetrue 23542300x80000000000000001550922Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:48.605{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECA496A8369F377017E807BAD1F8A6E,SHA256=84E4C9F5B7B884511B1551DF1CABF35EC6246EB35969CFB4532EA2528E59D9C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:48.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:48.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70104DEB6E83120DB8FAAC94F1DAEEA,SHA256=8B741565DA88AFA3E8D25BA4F5E6A6A955155C9EFCCF49B75F470AC35E18696Efalsetrue 23542300x80000000000000001550923Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:49.608{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CC3B119F9D73571BA7B1DFF2F8B525,SHA256=21C54DEF278024EE4FDC419B2B986405BE1AAEAC6A300E4301646F0BA45C5FC5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:49.389{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005495940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:49.389{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005495939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:49.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:49.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467D5CD7CF07437F69CCD2ECD085D748,SHA256=76EE96A47E155533623C8F4AFBFC41180B47A41AD2005480FC5A97C36A93F6F3falsetrue 354300x80000000000000001550927Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:43.843{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61720-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550926Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:50.609{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D38B0268B2CD828171D91C27755C9A,SHA256=849A3298349DF24A1F5EECE18DEE99BCDB352194B25123BB37A0CFE461262BCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005495946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:36.674{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49787-false10.0.1.12-8000- 11241100x80000000000000005495945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:50.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 11241100x80000000000000005495944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:50.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:50.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BFDC28C6721F4FD786C5AF44E0B9C4E,SHA256=6CF96046E19E6EB182AA41CA4BAD17DE2873F5AE229CF31C2B940471662A0AE7falsetrue 23542300x80000000000000005495942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:50.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B948366A292E2DFD4B43A2E1F07FF3,SHA256=A13D703F5E2FBF4AEAC9DE92BDC17A11D16330F215CAA307C9E16B3BA0D46314falsetrue 23542300x80000000000000001550925Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:50.262{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE359C6C4C35BE0702A76DF460B3CABE,SHA256=3D1BA738C891AC7093BCDA32ECF4030283C59963B9E714B27EAAF90BF3A99201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550924Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:50.262{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77425B9016A552D69B18DC1139FC89F6,SHA256=1045703E11385F0CF18A96BD4CB19A077DE0F564361477BC2E748BEFACA66D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550928Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:51.610{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5621138F594F1278EDB9D0F49E6254,SHA256=AC8B1FC08978D480900129AF9448B0A30B101C702AABEAC71AE0B0371D1606D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:51.857{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:51.857{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1C2865C3B1494EC242D5554A176DD65,SHA256=274FB115D59CA6D1C49DC38FC7C001DDF81C304D1BCB35D8A7824D9ABEC26E75falsetrue 354300x80000000000000005495951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:36.877{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49788-false10.0.1.12-8089- 11241100x80000000000000005495950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:51.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:51.450{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=841BD5D13C52AB08ACEEDCA7FB873786,SHA256=774361E91CA318343C2788E4D5071B5D0B6A74999B2E50CB03B479C112C6F7C8falsetrue 11241100x80000000000000005495948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:51.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:51.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2A870C46BF0F2223805654BA45C0DF,SHA256=2F83539023BFA4E024DEFAEC547C3F80692E97CA1DC3ABB44B0375E474CEA787falsetrue 23542300x80000000000000001550929Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:52.612{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A6D31E965CDFD92CDF9B4C251A2302,SHA256=F50B3DBD72D07CC073A53DB4072A0A4CF1E782E6A8B989142251ADCBB27D77C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:52.325{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:52.325{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=12F5272E40A32637A202F86D14DF1DFB,SHA256=27D7CBB20550AE897E0CC29BBA85AA84A2B10329DFF1AFA1517615DACD9B8EE6falsetrue 11241100x80000000000000005495955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:52.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:52.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FB50A97A7C307502AE65CB7F1512C2,SHA256=1E6B49696A80377C4DA89F1E375B3D89AB16FD2232822A0D13D7F050F370FAECfalsetrue 23542300x80000000000000001550930Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:53.615{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB91643F1CC5E5589EB5739D5CF3DAB,SHA256=DD6401730F8071306487D917D20EE3CEFC837F2E104574F86BA606D72CB161F2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:53.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:53.247{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E381E2CEFB45CD7147809CDDA25AB18,SHA256=F4B0B4B2A02B43E46F2B64BF9348EC017E82E5CA5E8E7D48B9344FF43A5CD5D8falsetrue 11241100x80000000000000005495961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:54.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:54.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A85FEF70EB8696AB771ABE7A7AF7F6F,SHA256=A1756598B127060E929AFA751BDF332E338365682A93716F4B039F441933CBECfalsetrue 23542300x80000000000000001550931Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:54.618{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0BF11F2FE459CEE694C242845E9BFD,SHA256=EF69399972EEDA600DA3F64272F6CADF0D8866A0453023367E7FB4EDCA4D582E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550932Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:55.621{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00717E706D2F349C566EE81FFBD2395,SHA256=5624ABE6FF8FB396F6DD789052CCB3EEBEEC639303175BA75C82A63122265926,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:55.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:55.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4502C6FDBCAD1A84FBB216305D035D2,SHA256=F63A5AB6FAE5646E1F3FA7F6A1DB26E99F79748EC5673C7984A8CE257B242DDBfalsetrue 23542300x80000000000000001550935Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:56.624{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90E2979060DF3F0EA0BB8260591363C,SHA256=D9F11A16F74CDF01D1F1B7E2B4EF8C047A8825E3881850DC168B0AC0AE563AFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005495970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:42.626{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49789-false10.0.1.12-8000- 11241100x80000000000000005495969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:56.497{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:56.497{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D5C3B05ACEF0A9B265C71B5B82BBF7BF,SHA256=9A8B14D27EBDA094A85B40957FB49854F3635A0FC973658DE55750B17E57BEA0falsetrue 11241100x80000000000000005495967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:56.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:56.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=392F22E2B31A109F4AA843A6CB40F8FA,SHA256=DFC1BB0A14B9E4849D92ED4E3EF8FB5942BCFE5FED8CEB8A4E5B5B593FB1E26Efalsetrue 23542300x80000000000000001550934Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:56.156{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3AA04287E04D36DA7ABE0011D2B5519,SHA256=9FB95E5786D63ADA7B61FAACFB0F41816AADAB06BACDA7D810EB5A0DE807D09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550933Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:56.155{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE359C6C4C35BE0702A76DF460B3CABE,SHA256=3D1BA738C891AC7093BCDA32ECF4030283C59963B9E714B27EAAF90BF3A99201,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:56.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:56.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E068D5343DC2A5C4CAB041A743A8A2AB,SHA256=49B6D66E7CFDF98EA5E9DB503D418620C0DA321AF0046470FBFA6BEC87DFE1CDfalsetrue 23542300x80000000000000001550937Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:57.626{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8DD96B041DDF8D21B4EF1F563341F9,SHA256=4D2642A247AB041AFF6241D10586D7252EB77A39EB67EB504CB107EF15BBF1DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:57.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:57.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6BC4C5794D6C3E2193D20B5C2691558F,SHA256=C614BE3B6BE54AE2EAE21DA72C9A937513CB977C2FD5751E6758BCD3EB5B5979falsetrue 11241100x80000000000000005495972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:57.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:57.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0EA26CDC79FF919C05EB77C11BAA06D,SHA256=1B20BCF0B023EF278565DD28009246E5A0E3C1978C5B14CDA439C7ED147994DAfalsetrue 354300x80000000000000001550936Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:49.755{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61721-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550938Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:58.628{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986CB4B18E91436A27190C203D52E6CE,SHA256=375E0D2D1100D303EDDC5BB0F78D3613D5C9600AD4ACBF24EB1A36193CAA5E90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:58.372{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:58.372{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDF2A837AB492C4FD8D268EADC5EED9,SHA256=670D9DCF7F1F1D41D432C962873BB0CCDABBD5D96040A88670F6E6C14A964B33falsetrue 23542300x80000000000000001550939Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:59.631{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2092BDD6A2F9EAF92B609F998EF04BD,SHA256=19A8B93AD48462E449EFE374CB302D06D0D659F45B53607BFCFCC9D554E33277,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:59.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:59.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0ABF7A3FF8A1DDCBEDE2E146565BBE,SHA256=5BA59BC52E55664ADF030CC5106118D6A64280943E56F98B6583F254F0147528falsetrue 23542300x80000000000000001550940Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:00.633{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7F5FE101CD22485A9919D8F7CC48E3,SHA256=97A15217B799848C233456CB739A226471FC44B224317CDF6437E756008B648A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:00.497{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:00.497{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1E942263DAF6FF48AB2B02CDB3C762,SHA256=C57FDEE538C8055965CB6E9B326A68C8933B819EB14C3E8DC8C8E78F9F663F1Afalsetrue 11241100x80000000000000005495988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:01.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:01.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EDC1749660C2AF7849F85A20BF990BE7,SHA256=9DE30F43E7F4DCB292D161D7EFF4F08737FB7806D685A4B64CABF728484B9375falsetrue 11241100x80000000000000005495986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:01.685{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:01.685{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F983EBF0AAE289C35BC9E27A20FA0E5,SHA256=579DB3D61EA9B20C9570CD61852667CF9D2E5473F4CD54855E09A37D452EDCB2falsetrue 23542300x80000000000000001550941Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:01.636{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E48B451062557CF21098B875C7CF64,SHA256=F24E12DA263FE246455F1D9898572383F6507E84C596A5ADAFADE381E7C01BEF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:01.325{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:01.325{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14403C7C6CB96B1EEC806FAF0520DA47,SHA256=F5E6FFBA37EBFD40D44796E97C51036A85AFF6E3D92D8B2A2FD87AC0C3FCA583falsetrue 11241100x80000000000000005495982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:01.325{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005495981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:01.325{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50FA7585A5BD062CDC6B78D95A8BBD1A,SHA256=117FD3705554D676BC9FFD0391322A1CDD71E3D9D4413F2EAC829AD7EB6EACAFfalsetrue 11241100x80000000000000005495993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:02.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:02.747{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01392D90EBF5A03FD9C5028F3BDD726B,SHA256=79F3F6BB5CFD3C9027922C22C09EBFED32207BC67984CBDD29472EDE36774A7Dfalsetrue 354300x80000000000000001550945Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:40:55.621{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61722-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550944Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:02.637{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDFDF831F075D0F1554483CA5D5A2B7,SHA256=322B3554DBF15DE1433327B1FAE0DA3026BA544C7C52F18C051C63D83865E96E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:02.404{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005495990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:02.404{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD028299B80900594A6916770D74FEA9,SHA256=120C569B2F6B2C02428E1DADED1246AA4E6A70B7C5C5DABE7166DA2E379337CCfalsetrue 354300x80000000000000005495989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:47.626{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49790-false10.0.1.12-8000- 23542300x80000000000000001550943Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:02.021{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAFDF558211E7C5F7CB86B9C07EF13A8,SHA256=2E20E3FD4B05556CB0F190D00BCFB8D5FBF6DC7441456FAE2C553470E2C3203E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550942Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:02.021{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3AA04287E04D36DA7ABE0011D2B5519,SHA256=9FB95E5786D63ADA7B61FAACFB0F41816AADAB06BACDA7D810EB5A0DE807D09A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:03.810{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:03.810{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA39E8DE6F153FCAF48263AE7B0A93FA,SHA256=EEB941079E7861D288CFFCA2503DA8BDDA4C33C60F67902AD1EA405F59C04C30falsetrue 23542300x80000000000000001550946Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:03.640{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745603645CC006F69ECE6D98F50E8FEB,SHA256=760AC486F04865667324758BABD8D9BF968D62D9B2D8914A881989205C7440D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005495997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:04.841{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:04.841{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50892CB8176D1261153BC4032260EDA,SHA256=423420668C2A921C7846EB9DB1586C3C546A451ADDC4B4D1E6240B8742957534falsetrue 23542300x80000000000000001550947Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:04.642{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D43C360C16A70429FCC85C714271D4,SHA256=419671943D9A899A9EC15ABCD03F1189437DBE9BFC2FBBFC090C726FC2FFED4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550948Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:05.644{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F331AC011DBFC12B13D456B6DA6E0B97,SHA256=5FFD547E4FD930149BA72EC867AB63F0DB005324326B0F607540ABE6AD4DFABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550950Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:06.647{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91316F976DEEDED462FCBED40C2934A,SHA256=3B549624F400F91A387358AEFE51F8E50657BD217A8D0324E2244EE62964E518,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:06.872{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:06.872{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BF445693A415F3812F3D5F17398F32E,SHA256=7E2930186156B7108195AE73C6783302D6D465966B09D4D6DA955664FE897C80falsetrue 11241100x80000000000000005496003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:06.872{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:06.872{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14403C7C6CB96B1EEC806FAF0520DA47,SHA256=F5E6FFBA37EBFD40D44796E97C51036A85AFF6E3D92D8B2A2FD87AC0C3FCA583falsetrue 11241100x80000000000000005496001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:06.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:06.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7843CD928C52F86639F0AF1826B9B9F5,SHA256=EAE09FFED0E09DFB940A6522579E53D0A69B57A0ADB04C0FD3C7B015A8FF507Ffalsetrue 11241100x80000000000000005495999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:06.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005495998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:06.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2483ED1CF2808C88EA9634CB2A6D7D,SHA256=D602BAEDB7DF536D588C398FA5B58CF0B50223DE6B630D8457030DF71354B41Bfalsetrue 23542300x80000000000000001550949Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:06.578{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FFE3A075CFA0A7A2BE65A4A83D060954,SHA256=015190D933C9E29C96555C20A19BEE7BE20DEC78CA03E9BF7BE4879E00DC64E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550953Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:07.648{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FC8F126E3423AF16B6400BB3BDD954,SHA256=2E54A37AE08299A0027A41B81C9FB72B652FBB65E51FD5296C07DFCF2F90F84F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:07.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:07.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C8F7F9A9EB4C38F9345AF179FD3F16D7,SHA256=494E6F2B0B96099261AA2EA8F4AC43A74C866FA6E63A5EC5EABE8794F3148E00falsetrue 11241100x80000000000000005496007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:07.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:07.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B218D2E9A3BF2183618100902D02611C,SHA256=A2A13AE0097C17B574E03A0BA95CF7186B3C8A8791B0986D8A68B66F4435CAF0falsetrue 23542300x80000000000000001550952Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:07.181{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E1D9E95A0499E63D91BB6F5247511F,SHA256=260BE24686308595C1FAF498292352F7A39CF24E8955E66EF01800B2F5345AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550951Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:07.180{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAFDF558211E7C5F7CB86B9C07EF13A8,SHA256=2E20E3FD4B05556CB0F190D00BCFB8D5FBF6DC7441456FAE2C553470E2C3203E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550954Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:08.650{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5996CAA266C3B642686B2528532C19,SHA256=827F0E7497D513B8B4FC67DA41F170E3C023352BE2B3B8FD9BCADF883E352BEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005496012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:53.579{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49791-false10.0.1.12-8000- 11241100x80000000000000005496011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:08.200{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:08.200{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCF2299DE5718181AF90B81EA3818B9,SHA256=21DCC7F4DE65F2E589B1DAB3F29403CEADFDAE471CE837C2FC1EE6AFC81E9C81falsetrue 23542300x80000000000000001550956Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:09.652{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D82D2AD1FB76342122832783D7728D0,SHA256=86B5AECF141738D441B9A0EB8E1708CCD2A44BC3AF1EFD35569F5C172FE64AE7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:09.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:09.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2963AC05D3124FC82312060574B0514,SHA256=6C96225D8A06F9E39F5C91A773A8C7F93BE7DB6848A8D6954552617F355FACB6falsetrue 354300x80000000000000001550955Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:00.779{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61723-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550957Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:10.653{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B40399A1740A4AA073A5368E9B0577,SHA256=2BD9A1F15310050B1DD5DE0C8C66920EF501B7A9DD0F0FEADA06478E795B24DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:10.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:10.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86240FFA05B3A9C7D1878965005CEAE,SHA256=EBBCFB445E917D0EEBA151D777132CD61DBE22ADDCCA5FB5865E8A8FE47482E4falsetrue 23542300x80000000000000001550958Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:11.654{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D593E8CC2A42DCB561D9BF79908C0D51,SHA256=208F71C719ED2332EE8357CB85BBA13FFD67F817F6C5C1028D0046EEAB4C78A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:11.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:11.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00120072FA2F6E9AF7E03A730F257070,SHA256=1815D65BC786D9B61B516D7AEA227EF05F26824F6F3EF4529EF47F7C16A06482falsetrue 11241100x80000000000000005496024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:11.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:11.876{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BF445693A415F3812F3D5F17398F32E,SHA256=7E2930186156B7108195AE73C6783302D6D465966B09D4D6DA955664FE897C80falsetrue 11241100x80000000000000005496022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:11.657{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:11.657{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93FE1B9FDE75F3840033B0FC7CCA6403,SHA256=5BC472F059D38806863B62E6F5FECEC0201FBF076BD67367A29C309D3D5D6AE5falsetrue 11241100x80000000000000005496020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:11.423{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:11.423{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA30ABBCC51D57DB954A4BB9C89D72E5,SHA256=042501F378BF0220BCA0392C2B45C2732106E8BD62CD9673E442721F7617CABFfalsetrue 12241200x80000000000000005496018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:11.251{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005496017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:11.251{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000001550959Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:12.657{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=906A61F00F7E02E3EF24FE7F19982E14,SHA256=BAAE450C85C6FFD91F4E9ECDFC798A242D41BED42040B3D2DAAEE5E5B18F0032,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:12.501{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:12.501{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=974089A7DC07AF6488CC2824A9BC217D,SHA256=3B058BF438B469CA08F704EBFBD223111226EE3F268035A5FC7014317A0A6F33falsetrue 11241100x80000000000000005496030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:12.470{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:12.470{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC63F20AF84D0917773B121A8632BD9,SHA256=EAA36B9072AD309F6F80CE372CE36759C7347F8F0BB96C34BF7BB67485F0E919falsetrue 354300x80000000000000005496028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:58.754{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49792-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005496027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:58.754{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49792-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 23542300x80000000000000001550962Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:13.658{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE2CD5532C79AFDA5437F5E6CF10AE9,SHA256=287BC24BF7EC7AE1FC0297E2A32BE5EA078B4DE1BE28D19A022A377675AA2017,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:13.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:13.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C1CA46F03F3E87AD32818D06BB24AC,SHA256=F7218EFADFD53053539CEADA233BF30F81300429EECDD3225C685B62E3270282falsetrue 23542300x80000000000000001550961Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:13.142{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=271028D5097880CA5BA9D834B549420A,SHA256=EF1DF80C69D813D9BE7501284713A22C6C736CE8B7DEE0A86B63405E8C2DE3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550960Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:13.142{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E1D9E95A0499E63D91BB6F5247511F,SHA256=260BE24686308595C1FAF498292352F7A39CF24E8955E66EF01800B2F5345AF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:13.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:13.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00120072FA2F6E9AF7E03A730F257070,SHA256=1815D65BC786D9B61B516D7AEA227EF05F26824F6F3EF4529EF47F7C16A06482falsetrue 23542300x80000000000000001550965Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:14.814{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550964Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:14.660{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19925E0C88BD7D5E7F4F199163FAC5C,SHA256=7BC03A4174E4FD87E4C67F7C31AF72A74EB6CA35D7B9FF7CA14F655DADFEBBEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005496039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:40:59.598{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49793-false10.0.1.12-8000- 11241100x80000000000000005496038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:14.532{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:14.532{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282AE6AF9E7D012D90A91EF712A38E50,SHA256=9420C1B1B2C3D696C3549B73F96E6DA265F3342C959FE0998C76DF2B3E1384A5falsetrue 354300x80000000000000001550963Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:06.727{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61724-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005496041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:15.548{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:15.548{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D98F9D9808B670D51BAAB29A3F46565,SHA256=FDCE770125A9FCFC4792B13E140A9B48DFB70336747F8E6CCBDDAD60A559F9A8falsetrue 23542300x80000000000000001550967Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:15.799{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=271028D5097880CA5BA9D834B549420A,SHA256=EF1DF80C69D813D9BE7501284713A22C6C736CE8B7DEE0A86B63405E8C2DE3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550966Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:15.663{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7D3EE2DEA90368B256C574C7073B90,SHA256=76ED905777CCAE73821D02019CCE5BD2F8B2D47C078B18F40C232FCDD39E7341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550977Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:16.734{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11DC-6139-A5D0-00000000F101}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550976Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:16.734{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550975Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:16.734{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550974Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:16.734{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550973Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:16.734{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550972Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:16.734{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-11DC-6139-A5D0-00000000F101}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550971Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:16.734{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11DC-6139-A5D0-00000000F101}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550970Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:16.719{AEE49BD1-11DC-6139-A5D0-00000000F101}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550969Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:16.666{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC83CDCD9FEE7B9FDCC2EB9A20BAA33,SHA256=052348F1472583842D73A95B912202C3C8B96CB4990ADE6C65D651F4E1101505,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:16.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:16.564{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08427A5F8CBEFE4419BDF53353005867,SHA256=C6FA4462AEC66DAAE9E08AD8DED54899C19502FD749157091214E666AA953749falsetrue 354300x80000000000000001550968Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:09.394{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61725-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001550988Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.720{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=756E31F83585AF702E45FB7AD21C938E,SHA256=AA63D05B3303F2BA79C652B85D2ED39C32B1F3309C04CAE55DE609C222C6063F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550987Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.667{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BA80130237BC1477209A1D77E177A7,SHA256=783304C90AE8A1CAD3ABAAE1667393081F6C3C71FB55D6CAD7CAA0C65D2A5D49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:17.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:17.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34C37A0F77C4507E855FC77802C9A3B1,SHA256=BCB8D20C605DF4CEBADB43D9E3E605E25727BCF8E3225EFFCF4DB384B06175C4falsetrue 11241100x80000000000000005496047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:17.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:17.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A3D7BACF12707987231BED505BA47E,SHA256=5E582D3215172CDD1A6CBCF7669D71257FB507DB60C2193267B6136EABA16E87falsetrue 10341000x80000000000000001550986Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.536{AEE49BD1-11DD-6139-A6D0-00000000F101}8684132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550985Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.405{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11DD-6139-A6D0-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550984Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550983Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550982Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550981Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.405{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550980Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.405{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-11DD-6139-A6D0-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550979Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.405{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11DD-6139-A6D0-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550978Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.399{AEE49BD1-11DD-6139-A6D0-00000000F101}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005496045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:17.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:17.079{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5E7E3C0F3B08149195D6DFFF2CDF3555,SHA256=0E896BCDC55F55E46287BDFD5993503158670358A3E103ED30008CF21A67C52Dfalsetrue 23542300x80000000000000001550997Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:18.668{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E54DDD55AE39875591273FC2D7D1051,SHA256=0253BEF16C1B4D97E6F7F3CCE57F697934E2DF9DE4ACCC609AEAE7EAD9B35E8A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:18.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:18.595{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAE6B32B7AAA8CE817104AE9003795C,SHA256=98E6C65070B05D4A6A7EDDC5E8D922CCF4321DAE23EE1DC95BE005E51CC6E462falsetrue 10341000x80000000000000001550996Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:18.083{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11DE-6139-A7D0-00000000F101}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550995Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:18.083{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550994Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:18.083{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550993Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:18.083{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550992Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:18.083{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550991Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:18.083{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-11DE-6139-A7D0-00000000F101}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550990Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:18.083{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11DE-6139-A7D0-00000000F101}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550989Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:18.068{AEE49BD1-11DE-6139-A7D0-00000000F101}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005496053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:18.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:18.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D981B597ED43E504270E5DB67212ACC4,SHA256=062C674E01BE713E81FD2CCDA6A29A2ACCBBF979580B192155FED40F722FB232falsetrue 11241100x80000000000000005496051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:18.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:18.189{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE4C44B3D02DF5DAA150E62D2FF8D465,SHA256=284E947540C6A0FF22F3C6244E07688AF1DAC59A6302C8EA64F20E0C6B7053DEfalsetrue 23542300x80000000000000001551002Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:19.670{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07E400669EEF1BB74A4B04C7DDF132A,SHA256=0DF995B368CE2AD08AC133FB98E0F6E8F4066A57C87763379CA45C7450FFFC62,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.829{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F4D1A6F88F123ED45660B5A55C5241,SHA256=F95B6380A9425822D734644E06A6346C577086F1B1FE9563D8707EFA7BAD2E61falsetrue 354300x80000000000000001551001Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:11.800{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61726-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001551000Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:19.138{AEE49BD1-DACA-6138-1CCA-00000000F101}4976C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\SiteSecurityServiceState.txt2021-09-08 15:38:17.364 23542300x80000000000000001550999Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:19.138{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\SiteSecurityServiceState.txtMD5=E4F489D4FFD7A3DB4ECCA9507B81578E,SHA256=8A264085EDAEBC80E5F3DB7CA9FDEE2E54AA1C32F5EBF877365A8C98715789A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550998Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:19.069{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37F5222CAB4F35B095E4113D3332A0A2,SHA256=07E88F949448019CD1470EACA1C01178644D873DE8E92EA3B60A8159D1D54A0E,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005496113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.564{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005496112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.564{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005496111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.564{4DF467A6-11DF-6139-ACD6-00000000F001}74805480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005496110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:04.676{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49794-false10.0.1.12-8000- 734700x80000000000000005496109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.548{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005496108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.548{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005496107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005496106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005496105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005496104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005496103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005496102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005496101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005496100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005496099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005496098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005496097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005496096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005496095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005496094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005496093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005496092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005496091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005496090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005496089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005496088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005496087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005496086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005496085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005496084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005496083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005496082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005496081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005496080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005496079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005496078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005496077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005496076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005496075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005496074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005496073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005496072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005496071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005496070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005496069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.439{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.423{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005496067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.423{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.423{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.423{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005496064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.423{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.423{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:19.409{4DF467A6-11DF-6139-ACD6-00000000F001}7480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:19.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:19.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:19.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:19.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:19.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:19.408{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001551003Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:20.672{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CE64599454913A633B65DE4A224CA1,SHA256=CB0FB6A34A05CF1D8B535BD86222E249E05B0DBD860A313EE277620C9ECDFE76,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F86091EADD8957CC81CDDE6AD93CAD,SHA256=E51B5366CDF5CC6E705BE09F0B1CE5D1AB54485064F053A8D0888CD25797AEC7falsetrue 11241100x80000000000000005496231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.970{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.970{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A467D17D7BB3C4FD391CA0862DB28E40,SHA256=207F1318509F3E25100BB0C22D37B103990FC85172DED0D9F53A2F2E00D0134Cfalsetrue 534500x80000000000000005496229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.923{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005496228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.923{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005496227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.923{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005496226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.923{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005496225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.814{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005496224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005496223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005496222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005496221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005496220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005496219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005496218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005496217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005496216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005496215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005496214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005496213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005496212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005496211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005496210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005496209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005496208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005496207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005496206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005496205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005496204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005496203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005496202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005496201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005496200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005496199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005496198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005496197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005496196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005496195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005496194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005496193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005496192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005496191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005496190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005496189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005496188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005496187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005496185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005496182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.798{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.783{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.783{4DF467A6-11E0-6139-AED6-00000000F001}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:20.783{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:20.783{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:20.783{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:20.783{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:20.783{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:20.783{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005496173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.486{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D981B597ED43E504270E5DB67212ACC4,SHA256=062C674E01BE713E81FD2CCDA6A29A2ACCBBF979580B192155FED40F722FB232falsetrue 534500x80000000000000005496171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.236{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.236{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005496169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.236{4DF467A6-11E0-6139-ADD6-00000000F001}74164224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.236{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005496167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.220{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005496166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005496165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005496164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005496163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005496161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005496159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005496158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005496157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005496156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005496155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005496154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005496153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005496152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005496151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005496150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005496149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005496148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005496147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005496146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005496145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005496144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005496143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005496142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005496141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005496140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005496139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005496138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005496137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005496136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005496135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005496134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005496133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005496132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005496131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005496130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005496129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 10341000x80000000000000005496128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.111{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005496124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.095{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.095{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:20.096{4DF467A6-11E0-6139-ADD6-00000000F001}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:20.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:20.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:20.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:20.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:20.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:20.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001551014Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:21.675{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D8E5DFD33BE05B39DFC6DB1E8BD121,SHA256=DA2709DB1B9D1AC199FFA27BBF2F7D1270958FE80AA76FCEF8DDD664D947D422,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001551013Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:41:21.628{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001551012Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:41:21.628{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a9ea2a1) 13241300x80000000000000001551011Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:41:21.628{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4e1-0x1e313bca) 13241300x80000000000000001551010Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:41:21.628{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4e9-0x7ff5a3ca) 13241300x80000000000000001551009Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:41:21.628{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4f1-0xe1ba0bca) 13241300x80000000000000001551008Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:41:21.628{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001551007Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:41:21.628{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1a9ea2a1) 13241300x80000000000000001551006Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:41:21.628{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4e1-0x1e313bca) 13241300x80000000000000001551005Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:41:21.628{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4e9-0x7ff5a3ca) 13241300x80000000000000001551004Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:41:21.628{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4f1-0xe1ba0bca) 534500x80000000000000005496289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.611{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.611{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005496287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.611{4DF467A6-11E1-6139-AFD6-00000000F001}65046184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.611{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005496285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.611{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005496284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005496283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005496282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005496281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005496279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005496277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005496276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005496275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005496274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005496273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005496272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005496271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005496270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005496269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005496268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005496267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005496266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005496265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005496264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005496263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005496262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005496261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005496260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005496259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005496258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005496257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005496256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005496255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005496254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005496253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005496252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005496251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005496250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005496249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005496248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005496247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005496245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.486{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005496242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.470{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.470{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.471{4DF467A6-11E1-6139-AFD6-00000000F001}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:21.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:21.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:21.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:21.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:21.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:21.470{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001551015Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:22.677{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4A22D4A89091D559A42663D0387C1B,SHA256=9DFE5A9BC6B11945C896EBA2CB7FE4361DBA191DD50986181E495878FE536AA8,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005496415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.908{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005496414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.908{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005496413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.908{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005496412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.908{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005496411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.814{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.814{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8C7E2002CB6CE7DDE309C3232F0A3F,SHA256=9C5E0696059EDA4299B3672C4EE5B489DBD43EDEBF2733FF9E730335241F70F7falsetrue 734700x80000000000000005496409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.798{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005496408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.798{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005496407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.798{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005496406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:22.798{4DF467A6-11E2-6139-B1D6-00000000F001}3716\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005496405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.798{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005496404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005496403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005496402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005496401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005496400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005496399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005496398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005496397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005496396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005496395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005496394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005496393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005496392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005496391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005496390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005496389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005496388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005496387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005496386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005496385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005496384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005496383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005496382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005496381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005496380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005496379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005496378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005496377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005496376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005496375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005496374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005496373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005496372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005496371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005496370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005496369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005496368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005496367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005496365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005496362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.783{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.768{4DF467A6-11E2-6139-B1D6-00000000F001}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:22.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:22.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:22.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:22.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:22.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:22.767{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005496353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.658{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FB7B79EB436FDBA30742BA7A811E4F11,SHA256=6F22D749BE5215AF29F15742852119C2FF3002ABD572D156C2FC2BEA54B5E3DAfalsetrue 534500x80000000000000005496351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.236{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005496350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.236{4DF467A6-11E2-6139-B0D6-00000000F001}73527564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.236{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005496348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.236{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005496347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7AED2A5DE87F84DE8CC6BD50E97C12E1,SHA256=430074CE8E6CD75A918957BAC56384D16B57A1513C0FEEB128A157ED51C6E8B6falsetrue 11241100x80000000000000005496345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8560FBEB4554B7D0B8992F1FF718AD29,SHA256=EC53CCAB3267A89DB62664AEE5A75B9BA8955A9CAC5BF7140DBBC43396976721falsetrue 734700x80000000000000005496343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.126{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 11241100x80000000000000005496342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 734700x80000000000000005496341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.126{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 23542300x80000000000000005496340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.126{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=574503C424A9287A37D5BC4E6876109B,SHA256=22775505C8A98A967B27DCF5DFD6EC6DF0685B63DE3C43053163CE6A9CBA689Dfalsetrue 734700x80000000000000005496339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.126{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005496338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:22.126{4DF467A6-11E2-6139-B0D6-00000000F001}7352\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005496337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005496336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005496335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005496334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005496333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005496332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005496331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005496330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005496329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005496328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005496327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005496326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005496325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005496324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005496323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005496322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005496321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005496320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005496319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005496318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005496317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005496316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005496315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005496314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005496313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005496312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005496311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005496310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005496309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005496308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005496307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005496306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005496305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005496304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005496303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005496301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005496298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.111{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:22.096{4DF467A6-11E2-6139-B0D6-00000000F001}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:22.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:22.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:22.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:22.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:22.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:22.095{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001551016Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:23.680{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5876396D9F9F1285733843BFA85CE11,SHA256=2F2217073E00415701E6A773E5FFFB623B4BC7264A37E239B6EE68F6D96FE548,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005496475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.595{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005496474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.595{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005496473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.595{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005496472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.595{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005496471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.486{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005496470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005496469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005496468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005496467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005496466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005496465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005496464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005496463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005496462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005496461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005496460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005496459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005496458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005496457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005496456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005496455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005496454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005496453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005496452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005496451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005496450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005496449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005496448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005496447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005496446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005496445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005496444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005496443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005496442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005496441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005496440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005496439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005496438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005496437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005496436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005496435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005496434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005496433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005496431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005496428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.470{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.454{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.455{4DF467A6-11E3-6139-B2D6-00000000F001}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:23.454{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:23.454{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:23.454{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:23.454{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:41:23.454{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:41:23.454{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005496419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.173{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.173{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F39EB6F54F6271793AB2D9FEDCE560,SHA256=568943A3CDC4D5C0F812150E45EEE4CA82060374AFE352051DF4448A4F22CFC1falsetrue 11241100x80000000000000005496417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.173{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:23.173{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6382BCE79CF67F0DD86153AC0C195788,SHA256=7CE04B90ECB56CFFC049DCE1092F00CC9026B90B2865C6AE4801BE45ECB7893Bfalsetrue 23542300x80000000000000001551019Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:24.682{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39CF99493B00802DDACD3E65D6D17E8,SHA256=DDA95FF99305858F4E27C29F436AE604E8DA23A192ACE357D058C4979669FD53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005496480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:10.566{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49795-false10.0.1.12-8000- 11241100x80000000000000005496479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:24.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:24.533{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B04AF3E0C62C3545B508874CDA8E2ED,SHA256=06FA858B6A95E601E751E7DF978A5D1911887D03D71AD3B16FE1676497F3CB3Efalsetrue 11241100x80000000000000005496477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:24.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:24.314{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CE17D0C6FBF48FFED0725F867EAF96,SHA256=102CC6399700E9BA411DE81D047DF39A1A15C66D5D30D5167021103F9DA0F499falsetrue 23542300x80000000000000001551018Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:24.150{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6324684ECEC750F1F4E52D93DD9436C,SHA256=5D5D2A2872806CF95AAF9572A64A1B98152B7980135F3CDD070293C373E13BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551017Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:24.150{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6CD43008B7F2190A8625AACA949CFA7,SHA256=82E47402E36207116CCBB7085F78CD034F797CE2D291AB534253F79003490BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551021Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:25.685{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC05072B897695804403B73D2B39A10,SHA256=D30F5A9CB3747E79CA0AF3FA4F8D3874032DA235A64E6BB72CBE3D19DFA0DF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005496485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:25.801{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7266MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005496484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:25.800{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-72662021-09-08 19:41:25.799 11241100x80000000000000005496483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:25.799{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-72672021-09-08 19:41:25.799 11241100x80000000000000005496482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:25.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:25.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17474D046B647803B6C71DA085BD7205,SHA256=AF67EBAE77FB78CA09345C39CEBB3E191C4FCAF76A96604F5464CD563DD83A3Bfalsetrue 354300x80000000000000001551020Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:17.734{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61727-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000005496488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:26.814{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7267MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005496487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:26.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:26.377{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BD42F1EA428EA2A46A186ADC12EC13,SHA256=24810EC5B4DCE9C51B38AE156141ADD57FDE251D7DB61E241A9F6BF9C5D12563falsetrue 23542300x80000000000000001551022Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:26.688{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CAFF24DD97642ED6E7A5BA486BAF02,SHA256=342D473CE1F1F0266CB4E89A898AC3A2023DA4922711A33C46CDE5DB17971083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551023Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:27.690{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414A70E19790DF92B246D9D8B3061939,SHA256=71D5A6D8FFDC5096B2D0EB9AC24DD6315DBCEC770F22F2C81C796FDB0DFD1BE5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:27.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:27.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9969A5AF2437580369DEB40B2C4D4DC9,SHA256=F7743843CD1A9150CE659C5B4FB6D1BB36D5BADB3284386386944E3A71A5DD5Dfalsetrue 11241100x80000000000000005496494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:27.378{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:27.378{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE35ED9C728CF9183DE8DE91D1735CA,SHA256=4BA63EA4D0925634F133FA432309E2454CBE42F3A6F1ACAB12B79C49D9CAC4D2falsetrue 11241100x80000000000000005496492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:27.032{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:27.032{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB4B934A1CEB2E94127C648EB943169D,SHA256=DE842C9909964C5DB3A261B6E318AE6379FD043550AB0972006A280B5F4BFBECfalsetrue 11241100x80000000000000005496490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:27.016{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:27.016{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85151F0EBD5D86B68C7831DDB572AECF,SHA256=65BD87CE8883D57D785E8639C2E0928FB5168F3856D6A459195550295818D780falsetrue 11241100x80000000000000005496498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:28.410{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:28.410{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7318C60C3E967FE44E46FD0F75C26D09,SHA256=C2D8BAE0250C4FF9EFCB8D464B9336EBD92C4188AA3D319C4CF854EE23D79492falsetrue 23542300x80000000000000001551024Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:28.693{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F72041900B4068B3A999634D780B8E,SHA256=13FED7918901637FF518497E9CBDA21DB2C746990E864ACB6F3BB07F2609DBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551027Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:29.695{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944302D43348ADCDBEE22C6CBD8EF4E5,SHA256=9ECAF15B03C084F3301E5630F6621D78588D45F6705A86389053F6811F878C26,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:29.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:29.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70549949D79C933517130E941320D8F8,SHA256=647CCDD3C27A99CB4E77ECFDF9873CA04C32882D7BFC1CFC0FEB8F06198E8BD2falsetrue 23542300x80000000000000001551026Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:29.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EB03903C777F0DCE20BB8063CC71B8A,SHA256=A99D317ABF9415CA279C8A68013037D102AEE12B711DBF93A6EEF1692D0FF84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551025Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:29.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6324684ECEC750F1F4E52D93DD9436C,SHA256=5D5D2A2872806CF95AAF9572A64A1B98152B7980135F3CDD070293C373E13BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551029Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:30.697{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492A24E8288CDDAE3D0FE8EC2E4ECA84,SHA256=6B066E720424CCD470C501FA9B761D589B540DA5B6D8DFB2C6F1718B18FCD473,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:30.975{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005496505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:30.975{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A61129BB464915CF6FBD1A1CB0BAF977,SHA256=479FCF04AA5D7CC762587CBF9676184EED76AEDC9EE57B0166F9CE158F7968F0falsetrue 11241100x80000000000000005496504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:30.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:30.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F9CF588761E9C6E6F727A34EAD4A8E,SHA256=33F19B412647F0E5B64815F7D2B7281ECD47E1AD68E4328954DC4FC3F321201Afalsetrue 354300x80000000000000001551028Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:22.809{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61728-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005496502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:30.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:30.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C73BE5E50F280836E647F1FBD8552A61,SHA256=6852AC0A99D53599C066992F4F6651D2AAAD0B50C29FC0E297C2518979507BEAfalsetrue 11241100x80000000000000005496513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:31.943{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:31.943{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B77C6D0A7AF1E1B389A35DA042C5826F,SHA256=E95CCB63371CA135ECEDB8A9BEEA03D0F84B7B4D06DD6C7033568DE03584469Dfalsetrue 354300x80000000000000005496511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:16.568{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49796-false10.0.1.12-8000- 11241100x80000000000000005496510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:31.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:31.897{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=382D4074B6C0A41AE7FB020B2E3DAD1A,SHA256=10DC587D43C3731AEF9F310D8CE8B0438CC1A56CC458745EFED70E9248C61614falsetrue 11241100x80000000000000005496508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:31.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:31.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0BDD9CBF81CFFC1DBD535B6DEAEC83A,SHA256=2CCF6F777A2A6D16C3166E8690E9F46E531824987DEF1E3C5EBE26646F84856Cfalsetrue 10341000x80000000000000001551040Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:31.752{AEE49BD1-11EB-6139-A8D0-00000000F101}12204932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551039Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:31.698{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7261891124F40544845760367231247,SHA256=CFC95F5084F79B9781E2E1CA402054D89F53109D0537C0E3444558EFB72BA28C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551038Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:31.633{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11EB-6139-A8D0-00000000F101}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551037Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:31.631{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551036Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:31.631{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551035Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:31.631{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551034Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:31.631{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551033Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:31.631{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-11EB-6139-A8D0-00000000F101}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551032Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:31.630{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11EB-6139-A8D0-00000000F101}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551031Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:31.615{AEE49BD1-11EB-6139-A8D0-00000000F101}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551030Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:31.251{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=088EFB745D8214FDB435761F59804B42,SHA256=5AD8CA80AFA38A73FCEFB03AE07C89B9A630D14798620FB92A9047D3BE297E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551051Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:32.700{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BE9839CFA94EA09B0D755C9BE4EA15,SHA256=57110413D21297056808D7A715956148A403124F1F396BF68996BA5F086C162D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:32.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:32.803{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9EAE96DF489D9425A6E6721BC8AD3263,SHA256=F39660AC6F7CF5B366AEC685D76F24980D7D877952006CD041C3FD1AE03E79E0falsetrue 11241100x80000000000000005496515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:32.678{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:32.678{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C67A9F13788E3B728AEF0D1BD66DA1,SHA256=593449B433AA614FDD8BBBA2D92DC4963D758C23B7EECB06D9DE7CC4523DFD27falsetrue 23542300x80000000000000001551050Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:32.634{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EB03903C777F0DCE20BB8063CC71B8A,SHA256=A99D317ABF9415CA279C8A68013037D102AEE12B711DBF93A6EEF1692D0FF84C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551049Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:32.437{AEE49BD1-11EC-6139-A9D0-00000000F101}56443088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551048Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:32.316{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11EC-6139-A9D0-00000000F101}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551047Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:32.316{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551046Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:32.316{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551045Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:32.316{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551044Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:32.316{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551043Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:32.316{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-11EC-6139-A9D0-00000000F101}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551042Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:32.316{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11EC-6139-A9D0-00000000F101}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551041Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:32.301{AEE49BD1-11EC-6139-A9D0-00000000F101}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551061Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:33.701{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE72CD88FCBA4ECF1D7C225341ADECC,SHA256=2993AE75BEE8AE50034859D416C4A01A2A5A6CA530CC4D4242108F0C66AF9706,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:33.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:33.693{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFAF0CCCFE9C00BEEBCF8D62C99DCFEA,SHA256=006F5AB904E6398DAC765433AA2E3CE704296796860C1223661F62364CE230B6falsetrue 10341000x80000000000000001551060Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:33.138{AEE49BD1-11ED-6139-AAD0-00000000F101}11802452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551059Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:33.016{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11ED-6139-AAD0-00000000F101}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551058Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:33.016{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551057Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:33.016{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551056Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:33.016{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551055Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:33.016{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551054Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:33.016{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-11ED-6139-AAD0-00000000F101}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551053Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:33.016{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11ED-6139-AAD0-00000000F101}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551052Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:33.001{AEE49BD1-11ED-6139-AAD0-00000000F101}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005496521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:34.725{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:34.725{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E898C6853B90AD5439B9CAA362940E,SHA256=7EF36DE960FC47F3D0E7F9354F8FF45C81289B739FB99993124DE5DE8AAD5C33falsetrue 23542300x80000000000000001551063Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:34.704{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3D1D486189047D8C6203A694D3B20D,SHA256=B45FC712D784158224CD461FE5DFC3CEA8A3C323FD2C34762870F5C0EA2D503E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551062Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:34.002{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A00E3430E384FE09C921DAF17811CCD5,SHA256=80CD99F04AAD3485215F68AFB72D526BCA1030EFCCA2071F42882F3598D08F63,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:35.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:35.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C7A6EA60A526E8C9AF8882C270C8E0,SHA256=E18DADEE9512D977F9B1E9DECD2A3C17CA346A260ACBFC6F4CE16D4E93EEE56Efalsetrue 23542300x80000000000000001551066Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:35.706{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A60FAA8E7919A8EBBBC4B23C23AAAF,SHA256=103FFC3790C165D87058A4609DD395EEBD9E60498091B8CAFDB4331BA449B253,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:35.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:35.256{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C428D31C1394D35C8CFB85EEE5B3A57,SHA256=7BEEAE30A1DC9732DC4CA85EEBB8964AAE58DA3D0FF1C23911A649C88C0BA3A1falsetrue 354300x80000000000000001551065Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:28.720{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61729-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551064Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:35.139{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CA81BED62EE79122198B3142B7CF7BF,SHA256=61218B61E24D130218D852F21F4CC609FF78BA289EE4A617EDF3697D86BEA1BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:36.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:36.834{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26BEDA50EEDDC716AA13A60B958C2F65,SHA256=63AC441AB7D7D450D671499655F56380F473D1FBA24E0F52AE8E1ABDB12D466Dfalsetrue 23542300x80000000000000001551067Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:36.709{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF469EC1050513CDC5C2A98BD636F4DD,SHA256=861148AAE66CED27A34F262266B3DFE6771E3B8BABEA71B14F502613ACD7A9BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005496526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:21.711{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49797-false10.0.1.12-8000- 11241100x80000000000000005496534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:37.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:37.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=89454B8272EEADD593A4E54EDBFD905F,SHA256=2C8537F8D990E9A3291631E12907545BC86BD0429F252B0CFAAAAD6357D29372falsetrue 11241100x80000000000000005496532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:37.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:37.850{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F64D6F51814FE0FD329AD60F22DD758,SHA256=7E63C0B09192AC3BABA182567E0D8B9C0B6126799F136EB2B9167A70E25C17E3falsetrue 23542300x80000000000000001551068Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:37.711{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A156172524235E4EF46F2F30062650,SHA256=C03DE9989EEB58BAB58B3E5DB9C2C209A5D922E0055F3F656FE76674E9A839EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:37.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:37.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=87F11F2A42B865DBA1C288B5F8CF6D2A,SHA256=A17DE011B6E4C0619D7D579FFB224886A654800DD96D080E7B8CE040E45EA890falsetrue 11241100x80000000000000005496536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:38.865{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:38.865{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CCC9D705D32F735A9019A5A058CFFD,SHA256=E9A3B3F4CE6EDEB4F7450B2E6665DDD370FA9A1CE2C61EA324263099E201D316falsetrue 23542300x80000000000000001551069Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:38.713{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E24D94F17B99FA1E0A6FDC08AEB815F,SHA256=2D2BBB078B71C0DC47E6488B9C8F17B65E22D47843D62EE81747A8354D1DC909,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:39.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:39.975{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F857B1BFF499990A84A19DA90854138,SHA256=A18855C9012EFAD7AEAF2C273815DB7474770AC3087468083F15B9E893D34AF3falsetrue 23542300x80000000000000001551070Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:39.716{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9656285D5D5D5625E6888E2AB251C6CB,SHA256=369A84871C00CA1559B9E81C11AE1491BA8CC7D20C7C716946243F53393F7852,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:40.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:40.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BC77A2317E9CA21CCC3FCC343D14CD,SHA256=214012CBDA792EC76B5000F4EF5D973CC448B5202B1F566EA0B691F83050372Afalsetrue 23542300x80000000000000001551075Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:40.903{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7257MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551074Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:40.717{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F94EBD494F8A360B03C3A47919B66C4,SHA256=ED7A685CEE11BA68CA75097009B537ED61A465F43775C98DEB1FA5A57384E91F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551073Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:33.850{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61730-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551072Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:40.269{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6688F2F46BA5BA4AB046B29A1E24F1D4,SHA256=455D98BD260D729C233BFBBBA0CA962699B190E3FBA040FDC94AFD953691583F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551071Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:40.269{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91394EC7B797BD19213EAD921ACAAF02,SHA256=BF5D7DAF19D8CEA79E30361F311172ABA0062A024E7D3992593128F80D3A2E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551085Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:41.903{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7258MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551084Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:41.718{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A022C776A181B21CC8181DEF826AC4,SHA256=F066D68683B10628EC787DE702E4DB55D34552A03AE0226D8B594D08C0F0481E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:41.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:41.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABBFDD63356FE890F6B6EDB83E254268,SHA256=9F1176768EB207A725BA038078307D2B828271DF5E799E2C60181D4140B1D8B7falsetrue 11241100x80000000000000005496542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:41.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:41.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48B157D533D11F6B6C61350724F78A9E,SHA256=0729694F3E30844FB28EE4A483DABD2B9070DDC59057B6267FB25B035548C636falsetrue 10341000x80000000000000001551083Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:41.534{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-11F5-6139-ABD0-00000000F101}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551082Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:41.534{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551081Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:41.534{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551080Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:41.534{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551079Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:41.534{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551078Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:41.534{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-11F5-6139-ABD0-00000000F101}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551077Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:41.534{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-11F5-6139-ABD0-00000000F101}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551076Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:41.519{AEE49BD1-11F5-6139-ABD0-00000000F101}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551087Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:42.720{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8C72B2B27171AB636F1E43916C6D7E,SHA256=FF4AB89E5FDD278471148A63D64A314740A9699D6B75023CD71EC97387ACEB47,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:42.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:42.928{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DB98A05F08FA495137CD6C62E984D61B,SHA256=C4252BBF38D53F40664FCBCE1B6CB8AABBC9272B7D60E5FD2CDE05D39737646Dfalsetrue 11241100x80000000000000005496549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:42.444{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:42.428{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D4CECF863BA3DDB5A5A48067FFE32EAA,SHA256=5F9CFCD5B1880C4E7FD4B2CD390D1440EFE5ADD5671EB83F7E3CFEB4F30A9E97falsetrue 354300x80000000000000005496547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:27.696{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49798-false10.0.1.12-8000- 11241100x80000000000000005496546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:42.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:42.022{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94FD7AC50A7DA159E1A38350DB8F6DB,SHA256=7C4F3B3497A9B4532A3E959D3A6D7809D56BFCCBAA4F1BBAC3F5AD851E3630AAfalsetrue 23542300x80000000000000001551086Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:42.535{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6688F2F46BA5BA4AB046B29A1E24F1D4,SHA256=455D98BD260D729C233BFBBBA0CA962699B190E3FBA040FDC94AFD953691583F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551088Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:43.721{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687E63E1B42E09D0C7BCA72E2728A911,SHA256=48D8986D00F6C400B69A78A9E37DCB3F209B4E631C99AA088CE9651F5B0C2F0F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:43.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:43.194{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2771E60E498E71353C32B45032B01D1E,SHA256=905C8C4FD111686C1172A9F95837FB0412BAC77211F0C24FA5BD154D2C88AFACfalsetrue 23542300x80000000000000001551089Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:44.722{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58514C964D21F211D6DBCC7DBE91137,SHA256=0A3C073C7C7717119E75F8058774BCE4AB43FDBD7405F3225FF8B499DDA3F241,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:44.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:44.209{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07FA5C4C57DC52E038C95F9CB1ACDE8,SHA256=51CF1BF48F6252E261C71A65C1C094B862241F90658E3C6D579469834F67A3C7falsetrue 23542300x80000000000000001551090Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:45.725{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE55C2300A24CE9EB897ECE6D07A9D3,SHA256=D593141FEB5A8E410A2958A9223C5A34B328EE968A346655BC8CAC5EA5491CFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:45.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:45.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C42F7012B2C400FAFBF7C123997F358,SHA256=0764AFF1DDDDE4465098F9D366DF3C0A59BF199508B71A0F82A96BED8E93DC23falsetrue 23542300x80000000000000001551093Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:46.727{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F3D35689A256D3A846510F66D222D1,SHA256=C2C60D532478C0AA49689AA2F10AE28B5CE66816E824588B84BCC80A6F1856A1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005496578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000005496577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000005496576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005496575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005496574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000005496573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000005496572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000005496571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000005496570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000005496569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000005496568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000005496567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005496566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005496565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:46.990{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 354300x80000000000000005496564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:32.711{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49799-false10.0.1.12-8000- 11241100x80000000000000005496563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:46.240{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:46.240{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA6E592CCA255D9EA1C8A8E0D7EB05D,SHA256=3D869F6B88CC58FBB71146E7191AF3E893FEA9DB69E6294195FC7016F3030082falsetrue 354300x80000000000000001551092Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:39.641{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61731-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551091Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:46.059{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=891D184B00A1BB2DFD30AFC08C3D94E5,SHA256=656B44A4AEDFD7F0F50B3255ABBF94C0426CD0DC7722B5498E48A8565B74256B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:46.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:46.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F6E2FD62396400EC033BB008D5C7EE,SHA256=CBFD6D0DE2FD8384A5D5E2011F849DEF6259B289EBC915CABD540CB6A23B4CCAfalsetrue 11241100x80000000000000005496559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:46.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:46.225{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABBFDD63356FE890F6B6EDB83E254268,SHA256=9F1176768EB207A725BA038078307D2B828271DF5E799E2C60181D4140B1D8B7falsetrue 23542300x80000000000000001551094Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:47.730{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4704674AA6B09BF07648B1EF88063047,SHA256=A21741992690B1F9829FFBE7CEBA68895DD508061B5A264FD1B577A720EFC9DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:47.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000005496581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:47.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:47.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5000C995D126F948E133AEEAE8E8FD2D,SHA256=FFE38B0B6CE835C9D5155F6E4484383160E542F1212DC8C011A0685382347596falsetrue 23542300x80000000000000005496579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:47.272{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=81D2D39887265D363D0046CECCA2899A,SHA256=68564EAA7EFE59F03C336DA8C7997BB1AF1AD1694D72DC4054C7FAC88827075Cfalsetrue 23542300x80000000000000001551095Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:48.732{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3493FE95EC4013EECBC4ECEA8D947EC1,SHA256=AB977597FE312E2EE394B4BDDC8A56F6126F5527C1D5D706EB5B9940A1AED18C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:48.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:48.287{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FE6F36CD471B4DFA137FE547F44957,SHA256=6606551A438E93F6751918777C47224488E90FCB5A0A33DDF21F3DB381E89700falsetrue 11241100x80000000000000005496584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:48.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:48.006{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9EEB8DD47D5511CFB03F08BFBF5F4DE7,SHA256=E5EF035766A98B1C423CF6601227F9755BB00D4EBF6FB649F465189CC05EF4DDfalsetrue 23542300x80000000000000001551096Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:49.735{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA35E612B649358FC3C15EE73C4EDC7,SHA256=9ECDF234F68F13C2F7C1820B9039E4C13BF417E3F89D74D7234A6A9DFDE50D6E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005496602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000005496601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1aa70e93) 12241200x80000000000000005496600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000005496599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4e1-0x2e69e889) 13241300x80000000000000005496598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4e9-0x902e5089) 13241300x80000000000000005496597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4f1-0xf1f2b889) 13241300x80000000000000005496596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000005496595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1aa70e93) 12241200x80000000000000005496594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000005496593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4e1-0x2e69e889) 13241300x80000000000000005496592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4e9-0x902e5089) 13241300x80000000000000005496591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:41:49.662{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4f1-0xf1f2b889) 11241100x80000000000000005496590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:49.412{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005496589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:49.412{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005496588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:49.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:49.303{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B898E495C8326718864F046BCC865C,SHA256=B68ED4F289D8E5522421975999DA75919FC33031E53809E7F89FB7677A8F203Bfalsetrue 23542300x80000000000000001551097Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:50.738{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7B33061F8BCD6A97EAFCC3E05B9AD6,SHA256=AE4E277EDB7990B3E8CDDE4584DB92F14B33EF69AA04E7AFDA04F8C403F5053C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005496607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:36.899{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49800-false10.0.1.12-8089- 11241100x80000000000000005496606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:50.444{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:50.444{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F6E2FD62396400EC033BB008D5C7EE,SHA256=CBFD6D0DE2FD8384A5D5E2011F849DEF6259B289EBC915CABD540CB6A23B4CCAfalsetrue 11241100x80000000000000005496604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:50.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:50.319{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAAD80804FA1FB32793BD2B30034416,SHA256=008AB28C46EFBF2C4BFBB3E33B10B386CE276F8D9FD41B44D64D3BA95CF09D4Ffalsetrue 354300x80000000000000001551101Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:44.707{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61732-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551100Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:51.754{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8FC328034C2965D6E3FC2B550A57C5,SHA256=74AFBF737DA5401C11F50AC827897E266BFC91F7E208998F1213AA8395D37165,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:51.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:51.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=431BA9D6781F123EBEE7115DBEC8AB59,SHA256=4FFC04469D72E532CEC9D68F10814CCE00B643858B6414C8CFDC4A0A76E700AFfalsetrue 11241100x80000000000000005496609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:51.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:51.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36129FA3CD32A927491C4A885BD228D,SHA256=D9B936A82F8B1257CDBC6B2003AB36A6AC19E7504C6CF2E99AA3168C9D172A10falsetrue 23542300x80000000000000001551099Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:51.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=242798C4F8A3B8E95CA519C7CF8E3D15,SHA256=2F2BE3DF62FC165FC1D30396DCEFBC14D714DF4DCFC7A4A8722B8D6248C4490F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551098Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:51.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD4C941A8C16AB0EB68834AB04E57F2F,SHA256=03E949C0530C51D1A82ABFBF5F2CD38C8E42F7DC3DA323AB22990E7B899E7757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551102Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:52.756{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0783059CABD91DCEDA0F83CDF0FED24B,SHA256=44347F40D08FC41924DD588459F522C81ECB3383A2A09028133A193C721347D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005496616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:38.704{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49801-false10.0.1.12-8000- 11241100x80000000000000005496615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:52.530{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:52.530{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5858C3A56B8D0D154E052675A95AAA26,SHA256=B28AC95E0E7D2FB8D0CDA05EB6C754522625EEB663776AD31C5B0A9A46256A93falsetrue 11241100x80000000000000005496613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:52.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:52.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D009DDC0B86E1C66F26E4A585DCBF7F,SHA256=9B7397D8071F2ACF306530E1AD2BFD6BC9BD325FEEA8DBCDA6EC47573D75E92Bfalsetrue 11241100x80000000000000005496649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3781C21C07C3A8EF1348999609E8D603,SHA256=EC6E8EC69CD3E0C2272F1675CB069422B34ECA0D7D9B24B5A2D7F811A0FFCD7Bfalsetrue 23542300x80000000000000001551103Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:53.759{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E380C779CD3F93D9104CC8BBA84A5EF2,SHA256=AB1F3945927F77A1D10B8208955FE90C8B349D2BE422414DE01FD879B9E9C0E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005496647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005496619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.437{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005496618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:53.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F357D8A4211B3E705B354074C95DC035,SHA256=F53C5CDA9226C1B2F72ACA0FB60EBD1B7677E8F9E75E1DB6834B94FED0825AE7falsetrue 11241100x80000000000000005496651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:54.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:54.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D3E9B71BEDA1540E5C37060FFEE199,SHA256=F1FC794DAC92B5DD66AD7D978F92440B3413491CF1D880AC632EFFB3A37555C8falsetrue 23542300x80000000000000001551104Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:54.762{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7CF0822B362939600224A94302CB45,SHA256=A540B834786EFE8B414DDE827154363B63F25D1B01B4C161B3481AF1C32DC566,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:55.859{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:55.859{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7C4F863E9BF287C826CE62CEAB8A46,SHA256=D29183AF9DEF5840F54559592A1926972461C726123C3A14C3DC416D0EB027FEfalsetrue 23542300x80000000000000001551105Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:55.764{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDBD867F46FEA487A8323D00AD69C86,SHA256=F150B0E92D9280BE5C8F3BC69FD6B433EF6D279299DAA05A5DA4DCD6E0F80799,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:56.890{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:56.890{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC8A9A6C5B6CF739CFEC275ECAC9445,SHA256=8396915E66E36D15DEBE165729D6C1CBA73BC7E62E2664B32066F85F021741F1falsetrue 23542300x80000000000000001551106Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:56.767{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F9815726EB0F00F0DD829905576058,SHA256=CF4CE7084DDEF5459E94A81AC4412F76236A07CBD82F229079817660B8AB68A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551142Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.853{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E494A3447AB32763ACF488973DDA7A2,SHA256=A30B8C8EEFC1BB9EB49A9201A8AEEE05E41CFCBE6CF77D9345BB07278896C4C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:57.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:57.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=636F64C497C1ED7B95929198D2C13096,SHA256=53EF45B6C6E2F56403D8842435532B87D01315637FE7104B32B52A72325AB580falsetrue 11241100x80000000000000005496659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:57.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:57.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBFFE8401AAFE217713163D628D21B9C,SHA256=A054E6B51BE191F2CAB8FC0F06E2844A2ACE4480FA5C57A703DE9993A972C885falsetrue 11241100x80000000000000005496657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:57.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:57.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00D02B229A76F07E42369E76C5BC3776,SHA256=794A13B15BE1A3F567B8DF16133C5F89E1A787AEEB073107D243555364FDFD25falsetrue 354300x80000000000000001551141Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:50.735{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61733-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551140Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.151{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BE269430FCD510E2D3E21A6E2D209D9,SHA256=9CBD28589C4758CD9BB0E09BE8B61AADCF7B20AB039271DED5FB7D1BA9031235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551139Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.151{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=242798C4F8A3B8E95CA519C7CF8E3D15,SHA256=2F2BE3DF62FC165FC1D30396DCEFBC14D714DF4DCFC7A4A8722B8D6248C4490F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551138Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551137Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551136Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551135Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551134Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551133Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551132Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551131Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551130Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551129Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551128Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551127Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551126Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551125Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551124Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551123Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551122Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551121Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551120Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551119Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551118Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551117Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551116Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551115Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551114Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551113Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551112Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551111Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551110Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551109Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551108Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551107Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:57.067{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551143Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:58.856{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD5E36ABE43E588C104AA123BC192AB,SHA256=030C9A9836A40DA31A204845BAC149EA6B0C7FE9ACFE917BBC37D5B05B79C39F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:58.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:58.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A9702892BA6CEED0DCB1AE52D6245302,SHA256=A248E9EF26F13FEDEEA5314BC895538AD6D08FBCED49166F06F2E9C737A39C11falsetrue 354300x80000000000000005496664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:43.736{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49802-false10.0.1.12-8000- 11241100x80000000000000005496663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:58.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:58.062{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D3CF26773E5621F003BAA069DC8522,SHA256=72874FBA22EB1158C438C5BAFDEA6B49D14E1677D8CCEB81E5885D7E4E3FBDBEfalsetrue 23542300x80000000000000001551144Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:59.859{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1362F47DEE8D574E03C7870CE1DA558,SHA256=045D5E1F87F65885008072D6FBA76BBFEB69D3A7DF5426702CB21BE39352CD15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:59.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:59.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A99A969B87DA0A3B1F86897C7FB2FFA,SHA256=8FEA61E8AF609F2012614DB20EAA7AFA8C0AAD31CCDC3A1E70F3E7057FE1C7F3falsetrue 23542300x80000000000000001551145Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:00.898{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=893EF884A97CB35314BFB0937BC9C79E,SHA256=3D2BF88917FE38B7D419D1FE0EADB2E59095202F960FC604E11DAB9184CC869B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:00.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:00.109{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1B17E5B2EFAC5B7BD76D856A01B81C,SHA256=3B416745B48D620553C62C98A44AA588DE7D234D3EBA8FDD3583D7F3EC965FA7falsetrue 23542300x80000000000000001551146Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:01.916{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4B110A6780F8C1E2E5E420BCA60F8E,SHA256=95CC88D03ACAEDDD493EB07882C313DBF51C763D6C79BDF50F3B90B64ED1F5B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:01.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:01.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA6DC1E1B38382BF3D8D4902B29F7A6,SHA256=ED55EAE682D80B5C6A019EFFA9BFC404534A2495AC83241C3F7788846BA5123Efalsetrue 23542300x80000000000000001551147Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:02.918{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10050D451CBBADC3356313BE2F76698,SHA256=8C2C97EBC1FB39836D7DAC0FDC33EB09FBCE1C8F687B5103642C07A88DF7B849,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:02.499{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:02.499{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=057A18C8B5E3D2F301F8C3BD64AB83EC,SHA256=88F9033000A45470931ACB8C7C1C3F7C60A5E209F9F8106ED3BC9055CB4475D6falsetrue 11241100x80000000000000005496674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:02.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:02.140{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB8A7A5B17D717943C86F29A5049D32,SHA256=0606922C3698FCEFAA0EF37509B05EDB8B00CE9D005271C6C22A4525036FE786falsetrue 23542300x80000000000000001551151Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:03.952{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D264F62A881F89635EDD21DF0F5C76,SHA256=7B9309A92E2552B6D1C321B062EF1AD0316D4002AAC1D7F075B26A4E24E0FF80,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:03.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:03.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47A5486E6EBEF7AC3A01011DDC8979B9,SHA256=C1CE94661870499D154F83027CF548BD003B6A5BE5C5D27AA3FF510BDB4C8B74falsetrue 11241100x80000000000000005496682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:03.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:03.265{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBFFE8401AAFE217713163D628D21B9C,SHA256=A054E6B51BE191F2CAB8FC0F06E2844A2ACE4480FA5C57A703DE9993A972C885falsetrue 11241100x80000000000000005496680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:03.202{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:03.202{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3DEB4E60A1BCFAED9EC86A6AB6FEA716,SHA256=D4D2DDE9158EB39E644818AADBA76820846DD67ECDC49ADC9130B4F0155000B9falsetrue 11241100x80000000000000005496678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:03.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:03.155{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8461BF37D0DF9FE04446344E05980B2C,SHA256=E607AC5F0D4D0DD45D2F5EFA60D864D50EF8A2317CCDEB2776098D41AA732A9Dfalsetrue 354300x80000000000000001551150Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:41:56.695{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61734-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551149Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:03.099{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC8E68E064D5BB2819724D108EF6D810,SHA256=4D77358237343B0372C9D9C3EFC5A8E5F86433264BAC8E4A21AC260B5F6D2893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551148Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:03.098{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BE269430FCD510E2D3E21A6E2D209D9,SHA256=9CBD28589C4758CD9BB0E09BE8B61AADCF7B20AB039271DED5FB7D1BA9031235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551152Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:04.955{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7172693A6596C8D212D30E2CB0FA6A2B,SHA256=EDDC661A2B9E7C4B897FC5015CE433D8E5ADE0D5420BAD8BA47E3EB4749839B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:04.187{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:04.187{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8888A2A392CC23C92B817C9D451568CD,SHA256=8AECAFD13748279292DF27608281E56EAE7C729A573B3BE5B0BE8D9CFABB5892falsetrue 354300x80000000000000005496685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:49.751{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49803-false10.0.1.12-8000- 23542300x80000000000000001551153Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:05.958{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26866C56326C7787EC489CE54BE90F2F,SHA256=EAF09FED66D0D16849B479AB6495D9AF595588C3A4F948B682A18D100382E07D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:05.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:05.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CF648F67F602453A2348DE1ADB6FFC,SHA256=063FFCE649A9136A092018B82054848B54E9C54812342C7146AF7D1FDB177882falsetrue 23542300x80000000000000001551155Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:06.961{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510826B0AFCC59D08A3FE72A9D729AF3,SHA256=9C5931994656629930DF4C9DB2D3813F5EDAC3F60C068C7BD0841BB38C928A95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:06.921{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:06.921{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47A5486E6EBEF7AC3A01011DDC8979B9,SHA256=C1CE94661870499D154F83027CF548BD003B6A5BE5C5D27AA3FF510BDB4C8B74falsetrue 11241100x80000000000000005496691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:06.421{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:06.421{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31A0432CDFF298EC84544CBB5F89C50,SHA256=BD49AA4FA86559C4C476E61489193D6E33A15E2EF685FCD993858E4A747A5858falsetrue 23542300x80000000000000001551154Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:06.591{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=802018BAD461B7C2250B10D8A334DE09,SHA256=417702B47D712D25B53782C329CA1941815FE269B80BC3A5AB85D3CA0FC7C6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551156Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:07.963{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040ABE2CFC2D895906544EB0282C1AB6,SHA256=A8E49648A3103BA7C1110BE766995314F6D5CE9B24617EC5A5941311B068CDA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:07.437{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:07.437{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D229856BD02636F35E72285ED3489253,SHA256=ADB824140BC7C8D9B5B1F666EFDE06A4C83AAE60D9A747CAFA8D315D14DAACB0falsetrue 11241100x80000000000000005496695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:07.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:07.406{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CFC2157D5C354A48D988CD674E7BC964,SHA256=057CBFCE92F35D64B3E9D89B60D7950C1B23E225744463AEA73B89A522CC671Ffalsetrue 23542300x80000000000000001551160Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:08.981{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D93BC788FB9607D5F27724AC94CC38,SHA256=7CFCCB5BC221286DEBBD3120552C7B936AC6B047A8382E8D30F73A02A454004D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:08.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:08.452{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851DD548833687445B67C8D38CCF1518,SHA256=1DF00ADDD2FEA4EC0300AA9727A506C3692AF06BDBA0618919D0C5622E66D945falsetrue 354300x80000000000000001551159Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:01.795{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61735-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551158Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:08.214{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1B812562F560A90141629AA7AA3100D,SHA256=A5916EE51A8832F39C3D230184A0D4D48E25DED3283E8DFE6EF4EDAC9769B49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551157Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:08.213{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC8E68E064D5BB2819724D108EF6D810,SHA256=4D77358237343B0372C9D9C3EFC5A8E5F86433264BAC8E4A21AC260B5F6D2893,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:08.312{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:08.312{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC10DD94A4BB8A10264EFA3B0492A8CB,SHA256=60762FE02F6884CECCD08A87C89EDFA7DAE85BEBE3D03EFA4BE81E2A6F920BC7falsetrue 11241100x80000000000000005496699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:08.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:08.249{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7EB03F4A2A77B1916E3D485EF0D35879,SHA256=EA147308E30851B3609F8E8BDCF413D98B07C21EDB208835F71C38E6BABACC67falsetrue 11241100x80000000000000005496706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:09.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:09.468{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0102A4D11ECEE225458CC0532E70DB5A,SHA256=FFBBCD9742F928E2A68CF2DB01CF4067691302A32CBC70B2E352043F22AD6E2Efalsetrue 354300x80000000000000005496704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:54.753{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49804-false10.0.1.12-8000- 11241100x80000000000000005496708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:10.562{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:10.562{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B3E65A119463CCB0F7AD9555CC9910,SHA256=0772393DD9748B5CC8CB2CAB9D907BE073DB3D5DED2DFE3FD109A05577F52EBEfalsetrue 23542300x80000000000000001551161Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:10.016{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E7BE47331097E867F216098926632A,SHA256=149C30BE9936568CC3294B7620D4B2E15DE137122C1C23CF9B09DBA9D042B16B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:11.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:11.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E0034AF3B60381E579AD949C8E569C,SHA256=746C57E5A38E7CA53E6211B98AF7CAFB774C4384FE61174F04A799459F42535Cfalsetrue 11241100x80000000000000005496712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:11.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:11.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CACA9584ECB653920C7118D0C7B7017,SHA256=BC561FDCDE0CAC0752F36095F6F02E3B59F6E55B81592FED403B4C0FECD2BD8Dfalsetrue 23542300x80000000000000001551162Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:11.038{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CD9C128954B5896214593F65AF3235,SHA256=BF4056EC15DD9C1E28711E014746AAEC72D43BA1682760ECD1F1C58B53C263BD,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005496710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:11.266{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005496709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:11.266{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005496718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:12.657{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:12.657{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=018823572671AA7289DFB0E6CEADFE59,SHA256=9D7AB103C3E9F9BDAA79282B11AE72B8E60B128E1527595079EADD8FD7E480A2falsetrue 11241100x80000000000000005496716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:12.641{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:12.641{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFFFC2055BDB37C939A266C4F32D7FE,SHA256=F885D4D99B7E448E49C90797C496229EC1D2F1088B917CB9D8AA2DAD689A6924falsetrue 23542300x80000000000000001551163Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:12.040{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D41D64138FACAB1E3A4FC735CCDAACF,SHA256=713640B75A11E6240796EA5417463E2AEE5C53CD45DB6AB9DCD41152C3086D0F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:13.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:13.735{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501CF72427BA5AE9622D33518F650AB9,SHA256=EF94B4E381A50E3DD4A6F8E70F024BA65AF662A2703AAC8343C3C8064EEA5AD5falsetrue 23542300x80000000000000001551164Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:13.043{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E6A8BCD9FFDBB84932BA308E0B267A,SHA256=210ACB17E788D3506CDEEC9C47E34FF65978A01336D00C8D6DBB23118D6D86B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005496722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:58.767{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49805-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005496721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:41:58.767{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49805-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005496720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:13.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:13.282{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=26CBF75D355813741D3F97E9AA3C867E,SHA256=64311214A018D50ECA2697DBA01A3C570C682598948EC772C74D8C4464DC81A6falsetrue 11241100x80000000000000005496729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:14.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:14.907{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CE5FE25E7862B4C1EF0F5F7C92BBA5,SHA256=AB6D66D5D2C0944323D5CAD256199D80811AE75A384AF94F181012B685135EB3falsetrue 23542300x80000000000000001551168Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:14.848{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551167Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:14.108{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64269F9DA0914210EB0F8F0BFC65F7D,SHA256=D56182FB7975CE88F880CBC4B9CA54FB64735397B1DA591A8FD42093FBF6393D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551166Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:14.108{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1B812562F560A90141629AA7AA3100D,SHA256=A5916EE51A8832F39C3D230184A0D4D48E25DED3283E8DFE6EF4EDAC9769B49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551165Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:14.061{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431E8F13D4ECC5E735EED1370A1B59B4,SHA256=E5836281853F621791A7609968F41ADF7E1E9D503A6102304E7D3E4A916AE129,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005496727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:00.705{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49806-false10.0.1.12-8000- 11241100x80000000000000005496726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:14.250{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:14.250{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93F052EEC7E38E7F2A33214EF2754CE1,SHA256=BFD8A7B8C7BB0907EB78418FE00FEF5927761371C8D51630C031256F23F2F0C5falsetrue 11241100x80000000000000005496731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:15.922{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:15.922{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C7956AABFEE73FEC776D13E4BDC07D,SHA256=52FE439DB3955D8C356C704E8D638C2BFF87E79AE81E83AF95D571BE9BD2EDCAfalsetrue 23542300x80000000000000001551171Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:15.830{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64269F9DA0914210EB0F8F0BFC65F7D,SHA256=D56182FB7975CE88F880CBC4B9CA54FB64735397B1DA591A8FD42093FBF6393D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551170Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:15.110{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA58E15B8C475EBD44C19670DED4938,SHA256=96375E54292AD141449BDA81FC0D786A231970AF11617A72C33C65AF9DD9F9BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551169Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:07.676{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61736-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005496733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:16.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:16.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD34150F42215B3E563F7CE81A79299,SHA256=A4156EA8C9981BB8C5FC90B3DA0257C72E56140E3F0C0165D6CBE6DEC5ED2C06falsetrue 10341000x80000000000000001551181Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:16.851{AEE49BD1-1218-6139-ACD0-00000000F101}29285944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551180Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:16.733{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1218-6139-ACD0-00000000F101}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551179Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:16.732{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551178Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:16.731{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551177Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:16.731{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551176Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:16.731{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551175Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:16.731{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-1218-6139-ACD0-00000000F101}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551174Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:16.731{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1218-6139-ACD0-00000000F101}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551173Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:16.715{AEE49BD1-1218-6139-ACD0-00000000F101}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551172Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:16.113{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E198D1F4A2B785E0B7DF9448C78C12A,SHA256=45B5521C50272F0173B4C07ECB5D5B7883F58B6ACE6F9C94BEBE96D9901D53C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:17.969{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:17.969{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465898D80576C4CAED1CFDECA26A5C37,SHA256=CEA7B94D292A40652C6FEE11BD8B629F17BC494EF67A721E865F167657B3FDC0falsetrue 11241100x80000000000000005496735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:17.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:17.579{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B4E8C64ABDD57438BE49C43C1C437C56,SHA256=738E1DD28EC22F24B70ADCB84B04624B0EF7C4110923E6BBA881573CC7DC1562falsetrue 10341000x80000000000000001551200Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.837{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1219-6139-AED0-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551199Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.837{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551198Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.837{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551197Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.837{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551196Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.837{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551195Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.837{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-1219-6139-AED0-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551194Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.837{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1219-6139-AED0-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551193Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.831{AEE49BD1-1219-6139-AED0-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551192Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.715{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4E9331CBE12063B12E221B95BD5D213,SHA256=A7D856FC98B0BB2A4FB327EA68A9491690CC34C3F023930192650088DB6B6A52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551191Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.236{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1219-6139-ADD0-00000000F101}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551190Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.236{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551189Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.236{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551188Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.236{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551187Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.236{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551186Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.236{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1219-6139-ADD0-00000000F101}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551185Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.236{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1219-6139-ADD0-00000000F101}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551184Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.231{AEE49BD1-1219-6139-ADD0-00000000F101}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551183Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:17.114{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A82ED3FB1E652EE6A7057762FDA77D,SHA256=09AD49A349EE8629E49ABE0E422708D9E0DEE97EE4202B933DB5AD38D8255F6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551182Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:09.427{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61737-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001551202Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:18.836{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=804F3788A9E3B75380859D85B62B8174,SHA256=CE0EC049D6097E6A71B8B7E7251D063BCD5CAB069DC79D2E9D2E5493FBD3D1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551201Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:18.115{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA6FB7A6F269275B87D1D1056B5DBEA,SHA256=632F5813DC4CBCD3830D7BD6B3ABB34AA12866F8575EA9C13A33E299189190F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005496739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:18.344{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005496738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:18.344{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=856AC4DC7E877EA5DF37F1838ED1D715,SHA256=0A6E5E3E0D1B55F3D0D3760F9A2A5AA098857F010A35F8C800102AAA4C0E4400falsetrue 534500x80000000000000005496806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.547{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005496805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.547{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005496804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.547{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005496803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.547{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x80000000000000005496802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:05.720{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49807-false10.0.1.12-8000- 734700x80000000000000005496801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.438{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005496800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.438{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005496799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.438{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005496798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:19.438{4DF467A6-121B-6139-B3D6-00000000F001}3132\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005496797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005496796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005496795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005496794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005496793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005496792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005496791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005496790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005496789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005496788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005496787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005496786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005496785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005496784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005496783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005496782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005496781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005496780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005496779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005496778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005496777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005496776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005496775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005496774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005496773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005496772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005496771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005496770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005496769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005496768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005496767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005496766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005496765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005496764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005496763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005496762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005496761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005496760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005496759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005496757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005496754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.422{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.407{4DF467A6-121B-6139-B3D6-00000000F001}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:19.407{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:19.407{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:19.407{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:19.407{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:19.407{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:19.407{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005496745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D050FE29B26DB5FCDCB74D2AE49EBCC,SHA256=7AC732BC9E29874E5A7E6CBFAA45E9C9FA47422D630F746844F04F8D639B3DE7falsetrue 11241100x80000000000000005496743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.360{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=825426672A94B66DF892FCF3DF7B664A,SHA256=6EEC8A1D80FF128E84F58E8F6FABDEF6741112DFA1A93CBE3D27A77F8E4F02E2falsetrue 11241100x80000000000000005496741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.000{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:19.000{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF23B00D0E02A311DACF85C50E5F595,SHA256=C3D6709DAA29C7E0E4BE63A242E533EDBC1961E571966D83E2D045459845E457falsetrue 354300x80000000000000001551204Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:12.835{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61738-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551203Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:19.118{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DC8594175528B3AFA1991286DA937E,SHA256=9816E68E8470996842CEEAB7513B1955174CA125AE04FB226BE58BB0F8CFDD6A,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005496925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.922{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005496924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.922{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005496923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.922{4DF467A6-121C-6139-B5D6-00000000F001}58566524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.922{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005496921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.922{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005496920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.813{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005496919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005496918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005496917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005496916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005496915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005496914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005496913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005496912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005496911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005496910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005496909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005496908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005496907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005496906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005496905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005496904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005496903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005496902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005496901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005496900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005496899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005496898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005496897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005496896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005496895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005496894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005496893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005496892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005496891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005496890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005496889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005496888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005496887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005496886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005496885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005496884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005496883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005496882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005496880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005496877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.797{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.782{4DF467A6-121C-6139-B5D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:20.782{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:20.782{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:20.782{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:20.782{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:20.782{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:20.782{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005496868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.563{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F6DD6EB83C9356C69E794A1D1DC0D3,SHA256=1C3DACB62ABBCE4D72F13FB14CEC3E4B1E014286A5F81371DD48ACD77039CC8Dfalsetrue 11241100x80000000000000005496866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.547{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.547{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5799C9DB89C20C7372D0A4785980677C,SHA256=3AD56DAEDFA697C68A391F4FA7E4A711B8BB6892941423438B2C80C8DE33BF93falsetrue 11241100x80000000000000005496864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.547{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.547{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D050FE29B26DB5FCDCB74D2AE49EBCC,SHA256=7AC732BC9E29874E5A7E6CBFAA45E9C9FA47422D630F746844F04F8D639B3DE7falsetrue 534500x80000000000000005496862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.235{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.235{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005496860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.235{4DF467A6-121C-6139-B4D6-00000000F001}78362736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.235{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005496858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.235{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001551205Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:20.120{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B0616A80CA3CD08D7BC20DE2706092,SHA256=DBD7A63E278815A185A2C7572C1D8419AEC6BF8DEFB209B92697741F11CB4CA1,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005496857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.126{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005496856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.126{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005496855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005496854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005496852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005496850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005496849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005496848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005496847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005496846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005496845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005496844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005496843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005496842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005496841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005496840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005496839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005496838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005496837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005496836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005496835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005496834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005496833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005496832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005496831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005496830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005496829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005496828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005496827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005496826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005496825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005496824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005496823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005496822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005496821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005496820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005496818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005496815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.110{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.094{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:20.095{4DF467A6-121C-6139-B4D6-00000000F001}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:20.094{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:20.094{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:20.094{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:20.094{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:20.094{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:20.094{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005497039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.969{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.969{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D412212AAC9E19D06943909DE65D4F13,SHA256=A775C2D241DC8F4BCD2226C78E55A8A3D4A5523BC25488468D2B591CAAA04418falsetrue 734700x80000000000000005497037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.954{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005497036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.954{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005497035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.954{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005497034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:21.954{4DF467A6-121D-6139-B7D6-00000000F001}5932\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005497033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.954{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005497032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005497031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005497030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005497029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005497028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005497027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005497026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005497025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005497024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005497023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005497022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005497021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005497020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005497019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005497018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005497017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005497016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005497015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005497014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005497013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005497012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005497011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005497010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005497009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005497008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005497007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005497006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005497005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005497004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 23542300x80000000000000001551206Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:21.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7CF1447DEDD3FB1DA9BD5C97DC723D,SHA256=5101023D5C9D18EFAF4F52B7497A56F040DFD83CC328402F8A4C9C7F44F904D0,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005497003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005497002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005497001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005497000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005496999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005496997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005496994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.938{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.922{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.923{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:21.922{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:21.922{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:21.922{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:21.922{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:21.922{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:21.922{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005496985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.891{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005496984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.891{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1AD2409816D0029D6BFDF61F8033359,SHA256=2A9078E0ACEEDD2AF7564DFB4BF7BF614D19112F12B03759FE4F682B8062F1ECfalsetrue 11241100x80000000000000005496983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.704{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005496982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.704{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D30D3D2008523E01954BE68F98C539,SHA256=8BDA1FD68A334B346068C384E45446AC815A28D6629C1EF391F9BF6DF1BDBD59falsetrue 534500x80000000000000005496981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.532{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.532{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005496979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.532{4DF467A6-121D-6139-B6D6-00000000F001}79405152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.532{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005496977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.516{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005496976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005496975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005496974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005496973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005496971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005496970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005496969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005496968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005496967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005496966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005496965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005496964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005496963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005496962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005496961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005496960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005496959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005496958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005496957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005496956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005496955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005496954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005496953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005496952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005496951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005496950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005496949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005496948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005496947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005496946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005496945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005496944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005496943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005496942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005496941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005496940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005496939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005496938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005496937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005496936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005496935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005496934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.407{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005496933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.391{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005496932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.392{4DF467A6-121D-6139-B6D6-00000000F001}7940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005496931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:21.391{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:21.391{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:21.391{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:21.391{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005496927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:21.391{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005496926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:21.391{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005497105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.938{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A92BF7A1E2C61138F3B1EABA939BAD4,SHA256=DA79BE0D41CFAC64611D36EC128C1FF863EEFCB8152ABB7049151C59402000C4falsetrue 534500x80000000000000005497103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.751{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005497102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.751{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005497101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.751{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005497100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.751{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005497099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005497098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005497097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005497096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005497095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005497094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005497093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005497092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005497091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005497090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005497089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005497088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005497087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005497086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005497085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005497084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005497083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005497082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005497081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005497080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005497079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005497078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.641{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005497077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005497076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005497075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005497074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005497073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005497072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005497071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005497070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005497069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005497068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005497067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005497066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005497065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005497064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005497063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005497062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005497061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005497060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005497059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005497058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005497057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005497056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005497055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.626{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005497054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.621{4DF467A6-121E-6139-B8D6-00000000F001}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005497053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:22.610{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005497052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:22.610{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005497051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:22.610{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005497050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:22.610{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005497049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:22.610{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005497048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:22.610{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005497047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.610{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.610{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ABFCA3A9FC74D08CEC878C67C6710EEB,SHA256=DC2FCC745FFEAAEC3A8BA4E9A9C41B546C1BFE729A87B65597B3DA397FA2AA40falsetrue 11241100x80000000000000005497045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.594{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.594{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8213EBEF4572A0634A888A7AF5B9308,SHA256=7AD6E1CAE803D3EBBED563319937A33B5D468B4258FD368484CA494768EEC737falsetrue 23542300x80000000000000001551207Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:22.126{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0FA7595C747F25CD030F4A6B37FBE3,SHA256=65162F9FB693963FD2359EFFEE68DD6E37554D29B9966320268827C599838FAF,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005497043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.063{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005497042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.063{4DF467A6-121D-6139-B7D6-00000000F001}59327560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005497041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.063{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005497040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:22.063{4DF467A6-121D-6139-B7D6-00000000F001}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005497167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.641{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.641{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09AD0ABDEE5A42958D1F13C7BAA97B88,SHA256=83A9F0BA7A4207B8A1C82F47EBD5687E44886D5C523C2C0D0E59292400EA5A71falsetrue 23542300x80000000000000001551208Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:23.128{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4DDE06AE6967BE65800CA56A2D9D7A,SHA256=022E96EF90AE1BBDB9C02BA8F71C002B8FDC3EC761C0CAE86E5D896D15C440FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.594{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.594{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B5D8EF3B3277E003CBF6BC19061C81,SHA256=9C947DF86B51A65D541DCB6D1844CB82FBB82FFF79882DD70296C78E8AB1FF28falsetrue 11241100x80000000000000005497163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.594{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.594{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A5FDA9460740114E49312F859E0F8533,SHA256=432E737F80C555E0A9CEBFC370ABA92E791C39E1BDD7B0825D81E0A76899AD91falsetrue 534500x80000000000000005497161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.438{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005497160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.438{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005497159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.438{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005497158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.438{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005497157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.329{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005497156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.329{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005497155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005497154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005497153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005497152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005497151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005497150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005497149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005497148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005497147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005497146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005497145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005497144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005497143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005497142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005497141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005497140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005497139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005497138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005497137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005497136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005497135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005497134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005497133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005497132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005497131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005497130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005497129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005497128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005497127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005497126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005497125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005497124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005497123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005497122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005497121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005497120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005497119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005497118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005497117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005497116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005497115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005497114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.313{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005497113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.297{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005497112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:23.298{4DF467A6-121F-6139-B9D6-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005497111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:23.297{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005497110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:23.297{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005497109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:23.297{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005497108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:23.297{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005497107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:23.297{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005497106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:42:23.297{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005497171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:24.782{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:24.782{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96092D623D19177103281E080C620A65,SHA256=C0C3B8D2A55C6C1DF5DC1E25FF89CF3BAD289E5F0F4A54353228D421F5982FF1falsetrue 23542300x80000000000000001551209Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:24.148{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88343B050AFB58BCBF6BA42012476EA,SHA256=8F6F63005FFE31E16C4061F3D850A3604AF549CA5EF74B265BF5DBA5D1E33E19,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:24.251{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:24.251{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FCD2935A973E2CE0E186588AA07256D,SHA256=1B1965752144FA2968347FB1B8C3AD9288434FD1B5339C5F2472A2D5DD539A4Efalsetrue 354300x80000000000000005497175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:10.720{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49808-false10.0.1.12-8000- 11241100x80000000000000005497174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:25.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:25.797{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B714486AD2766782BA423AF9507EDBC3,SHA256=3E447B7643AB6B4BA7DE220F24B18C594860D7C657059978EBC18FC11183F0CBfalsetrue 354300x80000000000000001551213Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:18.749{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61739-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551212Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:25.154{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9BA53B9F6E3905198FD6EEA0214D26,SHA256=135D9D86D9660DA061129673B75936D196067AF03A0FC05102AFF6EBB9555179,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000005497172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:25.610{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 23542300x80000000000000001551211Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:25.151{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97DCD7AB5659D540D81E323E6BA83C52,SHA256=474E18500B4490D084EECC43029B66C4284A607AB3111BAE160D859921EC6CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551210Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:25.150{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CC344D6C1809D90EDBE8921BB8A06D5,SHA256=018D8414C198A82176F13C7CD065A51A5DC3DD647978D59596318858B880FBAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:26.940{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:26.940{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30B36447DC1C1945517F52903EE816E3,SHA256=A11CDFDBA7B14EDBE48384D06E58D9D76941E4CA38C6D19DEF7EAA68CE236A52falsetrue 11241100x80000000000000005497177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:26.846{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:26.846{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D165355588AA80A7AD235567CBF420,SHA256=61ACC2E02564F6A2EBE8F2897AA267C9800D70A7E7ECFA0C0306BAF5343BEA92falsetrue 23542300x80000000000000001551214Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:26.188{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56DA38593214402FC65B95914F55282,SHA256=FE7B8EA118C9195AF30A2CDBEA0476C32DBA4F65D07AF1832C2132F412DCE02D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:27.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:27.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C8A5BFB3D30FBE431822AA460E71B0,SHA256=70A9EEF1DDFC1B66668FA557DC5032A21FAAC6AB9682010A09B4CF57F49C6661falsetrue 11241100x80000000000000005497184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:27.782{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:27.782{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B36F064A57ADB92E62C4A3262AB226BE,SHA256=BB30509F9DC6417D987D222A071650004E8E067165C9130F2DD86BF225FE9DC6falsetrue 23542300x80000000000000005497182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:27.348{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7267MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005497181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:27.347{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-72672021-09-08 19:42:27.347 11241100x80000000000000005497180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:27.347{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-72682021-09-08 19:42:27.347 23542300x80000000000000001551215Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:27.191{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BAA364275308762580A479065E3D39,SHA256=5967E2EF4711603E4E36DE7557979CB0D33ED4B311195FD41348A44E232107AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:28.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:28.923{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF04320E513251491F3A98A10A26AE9,SHA256=DC12D80A6963E5FC74D680788828B547BB31B24F0548B73BA61D2CA8F4EC6885falsetrue 11241100x80000000000000005497189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:28.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:28.436{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=86D0D5C0EFED19B35DC94A45A7582FE1,SHA256=FB36DB5CF0AC46D38F9AE9B8DD116470580843BF56546994A36C299766F7AD14falsetrue 23542300x80000000000000005497187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:28.360{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7268MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x80000000000000001551216Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:28.225{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795FEB4A1D95AB7BB8D1906105EBDE73,SHA256=F6D8A0DA5BAEABDCFA862A6D0B9F47EBABDDCB8C503C515E1C900C64A68ED843,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:29.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:29.986{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C7DF2638CCBDC7597B01C84F84C2E0,SHA256=A6940BAF8A248D8E82A463972D144E3A58795B29A21E4CD6AAFDA404B5D9C5EEfalsetrue 23542300x80000000000000001551217Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:29.260{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7482F22AFA545E70E171ABA9FA8EF0,SHA256=4C2622F1300D6DBEA62CAF6D4FB8F772294E8966C41A9D2347CE8F7406E4451D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:30.987{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:30.987{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9302ED3E9AE41EE5C429BF52E06636C3,SHA256=BA2B41545B480FBB17F7306573255D7A5367FF2FC48EEC1A7BA269A5D378D4F9falsetrue 11241100x80000000000000005497197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:30.987{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005497196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:30.987{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BD6AE2FD4BEB2FC3C10A0BBFABD8919A,SHA256=BDD27F6FF0AFD7AEA570E42E1BEFC44B9376B45BDFA8346DFEE3033AA9B3907Bfalsetrue 23542300x80000000000000001551218Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:30.266{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7B9835F724430DA681088140E1BC12,SHA256=0BEBD6F5E80DB74FFBFD8F34363F8C9A262F25AD3AEBBF3DBF487307E6A8D407,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:30.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:30.220{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED69AA5D81694D50CE31BC186C7C47F7,SHA256=AC01EFD3C60FA8152E4D6F182AA3EC410AC5012F7022E1B96A01ADB55D67EB35falsetrue 10341000x80000000000000001551230Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.702{AEE49BD1-1227-6139-AFD0-00000000F101}34685312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551229Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.571{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1227-6139-AFD0-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551228Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.571{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551227Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.571{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551226Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.571{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551225Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.571{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551224Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.571{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1227-6139-AFD0-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551223Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.571{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1227-6139-AFD0-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551222Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.566{AEE49BD1-1227-6139-AFD0-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551221Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.271{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12F88AD6C60F51B6FBFA6BF2CFCC4D8,SHA256=6C925AF77CB769A269409DF8A1F0D208BBFB66366E903912663FD1C7F16FD910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551220Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.149{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB02AC61B1A828E235DCCAE2EDAE4A14,SHA256=2E9E78A6A2E535B25272941125097FAD0BE0629E9641AEEE1FC1CEA836DB4B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551219Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:31.149{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97DCD7AB5659D540D81E323E6BA83C52,SHA256=474E18500B4490D084EECC43029B66C4284A607AB3111BAE160D859921EC6CE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551250Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.950{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1228-6139-B1D0-00000000F101}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551249Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.950{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551248Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.950{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551247Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.950{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551246Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.950{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551245Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.950{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-1228-6139-B1D0-00000000F101}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551244Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.950{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1228-6139-B1D0-00000000F101}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551243Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.935{AEE49BD1-1228-6139-B1D0-00000000F101}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551242Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.719{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB02AC61B1A828E235DCCAE2EDAE4A14,SHA256=2E9E78A6A2E535B25272941125097FAD0BE0629E9641AEEE1FC1CEA836DB4B7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551241Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.387{AEE49BD1-1228-6139-B0D0-00000000F101}3276916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551240Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.334{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3728E854DB7427181212711537FD359,SHA256=94F1735C3C1E20D422C7CC5D86C102C4F17B426712C8726DC4EB8329611F2A6C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:32.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:32.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2B57D5BEE29856431857425274A22017,SHA256=A3D41E4A5F7897FBD7B8A5A9D5082D16ACFCCAA8A7B3E2D2BF32D7633311B82Bfalsetrue 354300x80000000000000005497204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:16.689{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49809-false10.0.1.12-8000- 11241100x80000000000000005497203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:32.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:32.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5B85468C785151D784051BE9ED90B19,SHA256=2D52C0AEE1F1BBA7BC64F2D853333ABCCEE9955250E9CBAFD440F60496019101falsetrue 11241100x80000000000000005497201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:32.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:32.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=310FF42D73404459DCD080889199431C,SHA256=36DC7924F7CDCD4EE23A2E485F218888AB6BA8BA7049E5DE70423218A5E01125falsetrue 10341000x80000000000000001551239Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.268{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1228-6139-B0D0-00000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551238Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.267{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551237Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.266{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551236Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.266{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551235Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.266{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551234Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.266{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1228-6139-B0D0-00000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551233Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.266{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1228-6139-B0D0-00000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551232Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:32.251{AEE49BD1-1228-6139-B0D0-00000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001551231Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:24.747{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61740-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551253Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:33.936{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=045D5186BF99028038BCC9E149BE585E,SHA256=AEE404D819F034B748516BE192275D326C5ADDD4880F8EFB31A08CC3DBDB495D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551252Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:33.334{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28437FA3A0F32F248859CE45EF2989BE,SHA256=1EF7D46F3636813090EE9927823E3B5DCE0363108227B7F0B5F5AEC98E19BA8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:33.487{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:33.487{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5BE9173A4B41CCEB048D683241894C3D,SHA256=1DBE7EF2E0AB52AF1924F76168E4315061F709626D0DBC9063264CFA7BF97A22falsetrue 11241100x80000000000000005497208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:33.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:33.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7245CF6FB3B0F00957A43E0BDBE27563,SHA256=02026BE8376A14CF8EC54ABD2989BDBFF8DA99905153856B4EA6D8B7493AF5B5falsetrue 10341000x80000000000000001551251Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:33.072{AEE49BD1-1228-6139-B1D0-00000000F101}10565428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551254Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:34.336{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463D546F337DD87F5C55E44964F5CEB0,SHA256=E4C92FEE8A6FAD7D1CF231726D113C8C2C69A1BA83F0FA1AF9BEC18DF830F624,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:34.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:34.081{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA59D64E9D721F2B705BA45EEB681A7B,SHA256=F0BA338F4BDFFECD255FA36F4D13F4A6C266FD7E1282C44A63D79F787ADAAF0Cfalsetrue 11241100x80000000000000005497216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:35.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:35.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B7BA62000F588FF0FE0C2A6E61E64EF,SHA256=939A97DDE71C0DE137B9378906FAC8101689FEB01FE117957A924CB294D6070Afalsetrue 11241100x80000000000000005497214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:35.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:35.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734030185AAC99D22B164CB1AA35C39C,SHA256=E82561C11906450CB773E30CD7BC60D600B8C530D68D60FA1F694C5B03331F95falsetrue 23542300x80000000000000001551255Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:35.353{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEFBCBCC6D207C9CC6043E21B84B3568,SHA256=C31FC8B4053923D354C96FE78526721C6B635F597C55A87DF3756E68801512B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:36.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:36.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20347A221894FABFA011785153B4492B,SHA256=3D07121533F64170CA31C781588681CCFF26A46D5C217C658B876B9D8BD0B0FDfalsetrue 23542300x80000000000000001551257Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:36.355{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E448741F87568F2158BEA5EC2B19A8,SHA256=1EB13FFD5C3FD8308A810D07D51F9C7FE25F0FBDEC63EA90456603C7260F378C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005497217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:21.707{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49810-false10.0.1.12-8000- 23542300x80000000000000001551256Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:36.175{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=686904E42AE0F1087BB82FD84382B089,SHA256=9678E5E167F7604FAA0A39F6059D58E0A836352E57D940C1B58702D0BE44BB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551259Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:37.357{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F4AC5EF7C78045F1BF02B84424BDE1,SHA256=0909C31C216EB7DF7FF1AB022BAA1B957EC0693D09D4AA96FF40F3E417F33756,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.706{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B2F11CC8DA86B9C58BAF8C02E9AD2105,SHA256=C381163401C8C12C833ACE95A28F2CACF951DEA08FE63E22F1EB10DE71B38168falsetrue 11241100x80000000000000005497221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987A5B8EC4107E22B75BF3F6D369E782,SHA256=1559E49B1110EF54B9F7E90A6977D715CDF932C47EFBE98C4E2ACC0E6C64F88Dfalsetrue 354300x80000000000000001551258Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:29.770{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61741-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551260Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:38.359{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE5C07343E17CC655FE6783D0C990CC,SHA256=73EB0144ED6929F8C132FD8DA6DBE51C74E95CEE69AF381DEE70003BFE5CA720,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.550{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.550{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB0DA88E6B0C23B6398505C0E2257F90,SHA256=96E58E2F0D00F6FAF9639F6205877F115BC7896E8B943924E0C923DD644859A7falsetrue 11241100x80000000000000005497225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2AB39644FD219982564F1846E3DFC3B,SHA256=F926B3B208AEDD1D8AB0C5C706DEB2CE124B3B4D2055DB00BCAD8BB22AE42C57falsetrue 23542300x80000000000000001551261Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:39.362{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3865D27C7C45A66B2F13EFFF522B21FC,SHA256=221712021D794AE5305A9587D08974CF43ADC2AC5CB51C9F8247EDEEF590EB10,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.284{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724B98805C04DBC1D6F8FC38AC2C663F,SHA256=344EB12C75977158A3C6B6D10A21D62946F5BB81E28E3F2AC3A2BE444C577504falsetrue 11241100x80000000000000005497231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284D9F31C088EE2AB5F4C044E908371F,SHA256=DBFE04CDE9A837ABB59120D6C355D2E9B7685113951922E4F105B54DCE5A07E4falsetrue 23542300x80000000000000001551262Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:40.363{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC61C05165C55BD6724CAC985ED1AC6,SHA256=8006AA366C554C2988F5C8CA9BB992A39B03F8C00CF99CC790305FD1042989FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:41.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:41.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666F6502E399CEB72EA32D1B90EC1971,SHA256=B893D6B19F6CA7983A8AD2C72FCE0E5363D47EDC7E8B9169D517E8E45F926541falsetrue 10341000x80000000000000001551273Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:41.433{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1231-6139-B2D0-00000000F101}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551272Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:41.433{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551271Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:41.433{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551270Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:41.433{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551269Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:41.433{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551268Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:41.433{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1231-6139-B2D0-00000000F101}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551267Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:41.433{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1231-6139-B2D0-00000000F101}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551266Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:41.418{AEE49BD1-1231-6139-B2D0-00000000F101}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551265Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:41.364{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A363ED8EFC625B487499A5481A5F43,SHA256=A1FB13D43F9FBE867CBDBFE74DC336AB209A8A58293583310B565976E23ED242,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:41.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:41.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=625D967C4C8C9722C36E86B8DB99A08A,SHA256=55D71CD7BCED321984A0504098DF10B2E864BB04A19D0CDE34F6C304B492DAE9falsetrue 11241100x80000000000000005497233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:41.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:41.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E15A27114A9A5524E3368326F9D968B2,SHA256=D27506ADB9B5D2C558FA319D9BDBB244754F062A76CEB82B6E6ACE97F2CBB5E9falsetrue 23542300x80000000000000001551264Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:41.202{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E86F6AABACC90E13218089F55950938,SHA256=767D35B457A134ADD838F0EFC8C00F1123D9B5E3B0BA2F5977280A59943AF5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551263Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:41.202{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56A7CB7752F9B7372F996BB1E0E6F9EF,SHA256=83E42B91ADFC229E080AEB630A86609534E5F1DAC9480973B523977E575C3DB6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:42.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:42.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6F476FE1C1B9FE1A90B5B193CE325FD2,SHA256=A75A7CC75E1043FC198195DBBEFED08466FC3E71A4BBE0AE088D5ABA0D9F3BC5falsetrue 354300x80000000000000005497240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:27.660{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49811-false10.0.1.12-8000- 11241100x80000000000000005497239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:42.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:42.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA08EC7A58311AEDB7E248CABC9F7C9A,SHA256=8089F4DE833485532180FDEF9946B8E6F63DF522CD4FCAD1CF2C6990EFC086A7falsetrue 23542300x80000000000000001551277Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:42.421{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E86F6AABACC90E13218089F55950938,SHA256=767D35B457A134ADD838F0EFC8C00F1123D9B5E3B0BA2F5977280A59943AF5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551276Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:42.421{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7258MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551275Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:42.366{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20B3BD822E4162584766147DB246CE5,SHA256=9E805C10AFAA5BC1F71EC26B841E380312188EAF2E1D8A4B5C10E0CB37315AD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551274Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:34.783{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551279Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:43.423{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7259MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551278Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:43.367{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D94100005210CDA6B9AC9D166D134FD,SHA256=0E586A7C339A805B699ED2ECBE0C99B1FA65D76531D372CF3250958DA0C8A014,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:43.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:43.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7D25D8D81403B669545A458ED79254CC,SHA256=A8EEA57F8EE1343280024E39830364C593B54C12C2DF0A472CFB77058CC989B1falsetrue 11241100x80000000000000005497244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:43.472{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:43.472{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D5505548BE144A377F8C490D6FE443,SHA256=65C26BCE023FD985587EBACA9F2624B35ED1B78BE43AAF9E2C1A9008C48FCA06falsetrue 23542300x80000000000000001551280Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:44.369{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D067F1BE7F82B96F004DDFE117C753FF,SHA256=11B7BE51B3F87D42FB28CCDF268FC7C4F56606C9813575261A2AC7DD45C43F9A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:44.487{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:44.487{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0565E51BC47E41705750EE217AF334,SHA256=853FF61EAA12A998253A1B34E596F61B58324635FDEFE2034A15228BE22395C6falsetrue 11241100x80000000000000005497255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:45.550{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:45.550{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EAF742F3A961EEA8B7ABF603870A75,SHA256=3271812B0EA95AA0A90B4ED3E1970C2B19A963D25F448D67ED611745CC6263ABfalsetrue 23542300x80000000000000001551281Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:45.371{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91B542D7CA780B11B4B1E41DA79109A,SHA256=CF37DC4D02B7538657FBD421DFC89A45A38C6BC7CC9AFD616E37B16B0FC39BCE,IMPHASH=00000000000000000000000000000000falsetrue 24542400x80000000000000005497253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:45.284{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=7550D4771B8EB356B0852F29AF3890B5,SHA256=04808BB84FB138B6B36411B707926548F50F397D43DF5A98C19C32173658C6FEtrue 10341000x80000000000000005497252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:45.284{4DF467A6-3F47-6132-0C00-00000000F001}8367936C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:45.284{4DF467A6-3F47-6132-0C00-00000000F001}8367936C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005497250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:45.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeC:\Sysmon\CLIP-7550D4771B8EB356B0852F29AF3890B504808BB84FB138B6B36411B707926548F50F397D43DF5A98C19C32173658C6FE2021-09-08 19:42:45.284 10341000x80000000000000005497249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:45.284{4DF467A6-3F58-6132-2B00-00000000F001}29486000C:\Windows\sysmon64.exe{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551282Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:46.373{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B6B504E857467C27D20D8681B58F8D,SHA256=40B8C8A719446F99A3B3178C546628EB1BE7DA2A416EFC4CD60C8FA3414D0E4E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:46.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:46.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D36ED8BE67F148EFA574DD5B54EE91DD,SHA256=E81A315D3D74A4A27F4F5DB6FFDF60F9799D9C8A2CE59059B40869743D862D73falsetrue 11241100x80000000000000005497259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:46.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:46.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=625D967C4C8C9722C36E86B8DB99A08A,SHA256=55D71CD7BCED321984A0504098DF10B2E864BB04A19D0CDE34F6C304B492DAE9falsetrue 11241100x80000000000000005497257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:46.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:46.566{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECB33D3C8CECDD54B89925C46B66890,SHA256=94C36BFC4FBFFB767E5CF50F5F68920FE452B0DFF63D5FCEAE6DEB6B43EF077Afalsetrue 23542300x80000000000000001551284Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:47.375{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0B590A92E8A26BF0C178A0FCA7DA38,SHA256=1B2D0CC7763618956DEF18D1C7CBDB2B34C4C61A9F156ECB2BFEC91194B22344,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005497444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C85D801B7168241AF35C6617E6E6FFED,SHA256=44378CD384557672A8A116AAD243C2D94151BE0745827A96F0F849970627174Bfalsetrue 11241100x80000000000000005497442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.581{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.581{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0505692C6A2B8A596705913A82FC99BF,SHA256=4C26EA16B17C653080BB4B41AE71D224D685A993228C685181E6E14A9DDC48C8falsetrue 11241100x80000000000000005497440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.503{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.503{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374574CA26D0218F085987E5C3A722AB,SHA256=1462F8704A891DA337F1F54252A3B70BC24962A1446E2E8DB1E8E657900ED11Bfalsetrue 734700x80000000000000005497438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005497437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005497436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\indexeddbserver.dll10.0.14393.4169 (rs1_release.210107-1130)IndexedDb hostMicrosoft® Windows® Operating SystemMicrosoft Corporationindexeddb.DLLMD5=C137C0628B2EE5F6703F2D9770E4F128,SHA256=862C55A237F523E0919348D42CDB57D204555C05FA84E32D77ACB4778F6AEC94trueMicrosoft WindowsValid 10341000x80000000000000005497435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551283Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:47.275{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6286F9776CDBC734A4BC07EB5C9878B,SHA256=4BC9B2B26BA3D46B80D30F2E1505F61E27D015941C368F884E15141017C71D10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005497434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005497433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000005497432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000005497431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005497430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005497429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005497428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005497427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 10341000x80000000000000005497426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.456{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005497425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x80000000000000005497424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005497423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005497422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005497421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005497420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005497419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 10341000x80000000000000005497418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000005497417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005497416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005497415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005497414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164EtrueMicrosoft WindowsValid 10341000x80000000000000005497413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005497412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.441{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005497411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.418{4DF467A6-1237-6139-BBD6-00000000F001}4300C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85}C:\Windows\system32\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 734700x80000000000000005497410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.409{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\indexeddbserver.dll10.0.14393.4169 (rs1_release.210107-1130)IndexedDb hostMicrosoft® Windows® Operating SystemMicrosoft Corporationindexeddb.DLLMD5=C137C0628B2EE5F6703F2D9770E4F128,SHA256=862C55A237F523E0919348D42CDB57D204555C05FA84E32D77ACB4778F6AEC94trueMicrosoft WindowsValid 12241200x80000000000000005497409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005497384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.409{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 12241200x80000000000000005497383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005497382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.409{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 10341000x80000000000000005497381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.409{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.409{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005497379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.409{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000005497378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 10341000x80000000000000005497377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005497376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000005497375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005497374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005497373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005497372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005497371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x80000000000000005497370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005497369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005497368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005497367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005497366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005497365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 10341000x80000000000000005497364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000005497363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005497362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005497361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005497360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164EtrueMicrosoft WindowsValid 10341000x80000000000000005497359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005497358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.394{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005497357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.340{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6}C:\Windows\system32\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 11241100x80000000000000005497356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA3005326306FE4DBEA3F5FF0C98EAD,SHA256=CBCE584B025EB5BC7C51BED94E3A64A7E645E457C155E24CE42CDD41DF6432F9falsetrue 10341000x80000000000000005497354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.331{4DF467A6-4448-6132-F405-00000000F001}43525572C:\Windows\System32\RuntimeBroker.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000005497353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.331{4DF467A6-4448-6132-F405-00000000F001}43525572C:\Windows\System32\RuntimeBroker.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000005497352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.331{4DF467A6-43FD-6136-8C7E-00000000F001}964560C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.331{4DF467A6-43FD-6136-8C7E-00000000F001}964560C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005497350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.300{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.300{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAECFC1946E94FCD787CCA75001E9365,SHA256=B4DF3A1B2659D0642A69B09C5E8A9ED8700ECC371C7311E814879E4FE8556D8Afalsetrue 12241200x80000000000000005497348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005497343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.269{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.Cortana.ProxyStub.dll10.0.14393.0 (rs1_release.160715-1616)Windows.Cortana.ProxyStubMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Cortana.ProxyStub.dllMD5=7806FE9D293F066147ED111F7945D18A,SHA256=2C05FEC5EDDFE93E4DE67FA816B5D52273F78F71FCFA53C39CAE2B9B925CA25FtrueMicrosoft WindowsValid 12241200x80000000000000005497342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005497334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.284{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005497333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 10341000x80000000000000005497325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.284{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005497324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005497322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.284{4DF467A6-3F48-6132-1400-00000000F001}10564028C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005497321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:47.284{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeHKLM\SOFTWARE\Microsoft\Input\State\SoftwareKeyboardDeployedDWORD (0x00000001) 12241200x80000000000000005497320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeHKLM\SOFTWARE\Microsoft\Input\State 10341000x80000000000000005497319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.284{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005497318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.284{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005497315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.269{4DF467A6-3F58-6132-2700-00000000F001}28565192C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005497314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.269{4DF467A6-3F58-6132-2700-00000000F001}28565192C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000005497313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.269{4DF467A6-4448-6132-F405-00000000F001}43525572C:\Windows\System32\RuntimeBroker.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000005497312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.269{4DF467A6-4448-6132-F405-00000000F001}43525572C:\Windows\System32\RuntimeBroker.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 12241200x80000000000000005497311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.269{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting 10341000x80000000000000005497310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.269{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000005497309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.269{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000005497308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.269{4DF467A6-43FD-6136-8C7E-00000000F001}967792C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.269{4DF467A6-43FD-6136-8C7E-00000000F001}967792C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.269{4DF467A6-43FD-6136-8C7E-00000000F001}967792C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.269{4DF467A6-43FD-6136-8C7E-00000000F001}967792C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000005497303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000005497302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8967524C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8967524C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8967524C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8967524C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8967524C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8967524C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8367936C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8367936C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8367936C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8362128C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8362128C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8362128C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0D00-00000000F001}8966716C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8367936C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8367936C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8367936C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+3fb180|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x80000000000000005497264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.253{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+3fb180|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 13241300x80000000000000005497263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:47.175{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005497262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:47.175{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 354300x80000000000000001551286Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:40.642{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551285Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:48.377{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BE4ABD507C0723C6286F249D7FA0E9,SHA256=78314D3AB1AF8523FB8078A7313E7477EEDA20A9FC6C04537574EC9B2BFB4AFF,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005497703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 12241200x80000000000000005497702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.831{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005497701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.769{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.769{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.769{4DF467A6-3F47-6132-0C00-00000000F001}8362128C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.769{4DF467A6-3F47-6132-0C00-00000000F001}8362128C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.769{4DF467A6-3F47-6132-0C00-00000000F001}8362128C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.769{4DF467A6-4448-6132-F505-00000000F001}50647056C:\Windows\system32\sihost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005497695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A666B722913525151B3CDDA68B07054,SHA256=9B797415A34093D02EF4A4D99DFA810BE55FA3926583F518E3D78F73A5010BEAfalsetrue 10341000x80000000000000005497693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.722{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.722{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.722{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005497690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.722{4DF467A6-3F58-6132-2700-00000000F001}28565408C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005497689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.722{4DF467A6-3F58-6132-2700-00000000F001}28565408C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 11241100x80000000000000005497688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005497687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FFF24EDC5C1EC713F5E9F01144C16C44,SHA256=EA1E8930A16647FCEE27E1BE15C25D868E9CAF8D99188707BF14B3A51743BA57falsetrue 354300x80000000000000005497686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:33.628{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49812-false10.0.1.12-8000- 11241100x80000000000000005497685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.519{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.519{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DC26DE57178C4177ADEEF216F62D93,SHA256=29AB9AD4F11F304642C81C5B5ADFFC9EA40067FFB6768E172F9C3CF155144631falsetrue 12241200x80000000000000005497683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005497680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.472{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll16.0.13801.20634Microsoft Office componentMicrosoft OfficeMicrosoft Corporationc2r64.dllMD5=89F83DB0358154696068C1A1A2C48B76,SHA256=97A0AC1E7CF73E000BC13BF560BA088C79797604E5E64F21B6DB843CD16742FFtrueMicrosoft CorporationValid 12241200x80000000000000005497679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun 12241200x80000000000000005497658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office 12241200x80000000000000005497657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft 12241200x80000000000000005497656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.503{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE 10341000x80000000000000005497655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.503{4DF467A6-D3A4-6138-36CD-00000000F001}67805776C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+498a3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5206d|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5132f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005497654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005497653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.487{4DF467A6-D3A4-6138-36CD-00000000F001}67805776C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5eac4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+5fb06|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+178f5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c0e4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c696|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b1eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d60e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d2f1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+95bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+13394|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+1c734|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8eda|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+892c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000005497652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.487{4DF467A6-D3A4-6138-36CD-00000000F001}67805776C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4177c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18b13|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+18013|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+19af2|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1c0bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+c696|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+b1eb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d60e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+2d2f1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+95bf|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+13394|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+1c734|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8eda|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+892c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 12241200x80000000000000005497651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005497650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll10.0.19041.1074 (WinBuild.160101.0800)Client Virtualization SubsystemsMicrosoft® Windows® Operating SystemMicrosoft CorporationAppVISVSubsystems64.dllMD5=90B77DF9501D41C1FC3B9B08BF739CBD,SHA256=B767361DEEBE62459AD8D6124C9E94B0A20F09EA1C53F6111B7B71252B703A04trueMicrosoft CorporationValid 12241200x80000000000000005497649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.487{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005497627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.487{4DF467A6-D3A4-6138-36CD-00000000F001}67805776C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+8f4a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+822c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.487{4DF467A6-D3A4-6138-36CD-00000000F001}67805776C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+7ae3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+775b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005497625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\Common 734700x80000000000000005497624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.472{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000005497623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005497622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.472{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 12241200x80000000000000005497621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005497620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.472{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 12241200x80000000000000005497619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005497616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.441{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\msvcp140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=F60E0D8C88242FE8CA38A8562685F231,SHA256=254F5CDE2DEF2BF3941F746E4902A36F5169BF73AE9E258E49BC1FEF7B26EC99trueMicrosoft CorporationValid 12241200x80000000000000005497615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005497596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.472{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.472{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B575C5D427DE5EA9AA8377487ECD511,SHA256=798B4596076E0F6F28ED5E65CFE8078CC0140159802CBD0099E2D331FC4AF2B2falsetrue 12241200x80000000000000005497594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005497593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.441{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=766F0D18983E0810882FBA122AD1163E,SHA256=F10EF6DE6C651DB42DBD455A1C674047862CEBF6CCCE1F784CDB0571C9EA9757trueMicrosoft CorporationValid 12241200x80000000000000005497592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.472{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005497568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.441{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140_1.dll14.27.29114.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=74B5641A50C27B57ED0DA622E66A239E,SHA256=A571D26E536D4F7DA93ACC24EDB1D823140B660795576DC27F626F1889106D36trueMicrosoft CorporationValid 12241200x80000000000000005497567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005497544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 734700x80000000000000005497543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000005497542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000005497541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005497540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000005497539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000005497538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000005497537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005497536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x80000000000000005497535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005497534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005497533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005497532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 12241200x80000000000000005497531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005497530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005497529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005497528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.456{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005497527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13801.20864Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exeMD5=11F7D49A44E922C3BB0B426211F44E66,SHA256=025784F40F20654C264D060B1BA77066CF04BC56F6F2324E56372704FC4EC499trueMicrosoft CorporationValid 12241200x80000000000000005497526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.456{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005497503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.441{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000005497502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.441{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 12241200x80000000000000005497501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.441{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 734700x80000000000000005497500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.441{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid 734700x80000000000000005497499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005497498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid 734700x80000000000000005497497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005497496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005497495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005497494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid 734700x80000000000000005497493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005497492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid 734700x80000000000000005497491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005497490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 13241300x80000000000000005497489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\LaunchCountDWORD (0x00000003) 13241300x80000000000000005497488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\LastAccessedTimeQWORD (0x01d7a4e9-0xb3f54590) 12241200x80000000000000005497487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 10341000x80000000000000005497486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005497485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.425{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005497484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}962168C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}962168C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005497481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 13241300x80000000000000005497480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005497479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000005497478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005497477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jbeq.yaxBinary Data 13241300x80000000000000005497476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005497475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Jbeq.yaxBinary Data 12241200x80000000000000005497474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.425{4DF467A6-3F48-6132-1200-00000000F001}852C:\Windows\System32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store 10341000x80000000000000005497473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-3F48-6132-1200-00000000F001}8524324C:\Windows\System32\svchost.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-3F48-6132-1200-00000000F001}8524324C:\Windows\System32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005497470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.425{4DF467A6-43FD-6136-8C7E-00000000F001}967916C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\windows.storage.dll+15922|C:\Windows\System32\windows.storage.dll+15619|C:\Windows\System32\windows.storage.dll+154ef|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17432f 154100x80000000000000005497469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.400{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13801.20864Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exe"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" C:\Windows\system32\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=11F7D49A44E922C3BB0B426211F44E66,SHA256=025784F40F20654C264D060B1BA77066CF04BC56F6F2324E56372704FC4EC499{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 10341000x80000000000000005497468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000005497465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000005497464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2700-00000000F001}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-4448-6132-F405-00000000F001}43525572C:\Windows\System32\RuntimeBroker.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000005497461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-4448-6132-F405-00000000F001}43525572C:\Windows\System32\RuntimeBroker.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 12241200x80000000000000005497460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.378{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting 10341000x80000000000000005497459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000005497458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-43FD-6136-8C7E-00000000F001}96848C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 13241300x80000000000000005497457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:48.378{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005497456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:48.378{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\FlfgrzNccf\Zvpebfbsg.Jvaqbjf.Pbegnan_pj5a1u2gklrjl\FrnepuHV.rkrBinary Data 10341000x80000000000000005497455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-43FD-6136-8C7E-00000000F001}967792C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-43FD-6136-8C7E-00000000F001}967792C:\Windows\explorer.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-3F47-6132-0C00-00000000F001}8365276C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005497450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.378{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005497449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:48.378{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeHKLM\SOFTWARE\Microsoft\Input\State\SoftwareKeyboardDeployedDWORD (0x00000000) 12241200x80000000000000005497448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:48.378{4DF467A6-4448-6132-F805-00000000F001}3292C:\Windows\system32\taskhostw.exeHKLM\SOFTWARE\Microsoft\Input\State 10341000x80000000000000005497447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.362{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005497446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.347{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.347{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D36ED8BE67F148EFA574DD5B54EE91DD,SHA256=E81A315D3D74A4A27F4F5DB6FFDF60F9799D9C8A2CE59059B40869743D862D73falsetrue 23542300x80000000000000001551287Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:49.379{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34D610FDE9B30DF686575231909FF94,SHA256=EFFD65BA450394F00A1E7865A8D259ED7CD2E5BA59FC5F4F731D8CF327ACA915,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005498186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.987{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005498185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.987{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005498184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.987{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005498183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.987{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005498182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.987{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 10341000x80000000000000005498181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.987{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.987{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=8A3F431F51A105E05BD2D9474E9AEF47,SHA256=0EA156F0C53425CC45D940400A3E7181F605753285F97A66BD6FF78D5F221906falsetrue 10341000x80000000000000005498179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.987{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.987{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=DD0629F762AF501A5A8D3BF3DFB7F972,SHA256=98A780337650F6C54FF55E43672F34B4107A4D088772130363DAB2DB00A5CA09falsetrue 10341000x80000000000000005498177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.972{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.972{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=2039C127F165F9025CD53CFC0C595D6E,SHA256=B6BB8C4740B3C90EAA7E0B9C7D11BFD3B41C5D8DC538417BAABC78FDB8600E1Bfalsetrue 10341000x80000000000000005498175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.972{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.972{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=CA3DD4D8A1D864153ED71A0FA1D6B7CA,SHA256=B401AD319974DDBAD1521AB2F4C7750853AD4444CB36C3680A7C63904C918E00falsetrue 11241100x80000000000000005498173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{904FABCB-10E3-4B3A-A1E1-6CE7F5B63054}2021-09-08 19:42:49.972 13241300x80000000000000005498172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6444\0Binary Data 12241200x80000000000000005498171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:49.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\4664 12241200x80000000000000005498170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-08 19:42:49.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\4664\0 13241300x80000000000000005498169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DownloadContentStateConsentTime(Empty) 13241300x80000000000000005498168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DownloadContentStateSourceLocationDWORD (0x00000007) 13241300x80000000000000005498167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DownloadContentStateDWORD (0x00000000) 13241300x80000000000000005498166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserContentDependentStateConsentTime(Empty) 13241300x80000000000000005498165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserContentDependentStateSourceLocationDWORD (0x00000007) 13241300x80000000000000005498164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserContentDependentStateDWORD (0x00000000) 13241300x80000000000000005498163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ControllerConnectedServicesStateConsentTime(Empty) 13241300x80000000000000005498162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ControllerConnectedServicesStateSourceLocationDWORD (0x00000007) 13241300x80000000000000005498161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ControllerConnectedServicesStateDWORD (0x00000000) 13241300x80000000000000005498160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ServiceConnectionStateConsentTime(Empty) 13241300x80000000000000005498159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ServiceConnectionStateSourceLocationDWORD (0x00000007) 734700x80000000000000005498158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 13241300x80000000000000005498157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\ServiceConnectionStateDWORD (0x00000001) 13241300x80000000000000005498156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DiagnosticDataConsentConsentTime(Empty) 13241300x80000000000000005498155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DiagnosticDataConsentLevelSourceLocationDWORD (0x00000007) 13241300x80000000000000005498154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\DiagnosticDataConsentLevelDWORD (0x00000002) 13241300x80000000000000005498153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\UserCategoryDWORD (0x00000002) 12241200x80000000000000005498152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL 12241200x80000000000000005498151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.972{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache 10341000x80000000000000005498150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.956{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.956{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=115D92F9D17892D2A5525AC072C026F4,SHA256=A9C6CACB3A08DC945CDDA1C500D257A6B2F4E0711E6C96D3211F6BF88A882C84falsetrue 10341000x80000000000000005498148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.956{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.956{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=05F437E3A18724CE595ACACF079D90D0,SHA256=6AC09883C44234BE7CE9B8D3AB51D0D0A4CBA04A2145CAC15ED61DD9326D5F75falsetrue 10341000x80000000000000005498146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.956{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005498145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.941{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL16.0.55555.10000Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMsoAria.dllMD5=2357126682CE4CAB2E5963883400D41D,SHA256=878BF317D30612C970E2EFDF93C3F22BF360D0304CFB54E96D638E8A5DE24E51trueMicrosoft CorporationValid 12241200x80000000000000005498144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005498139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.753{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msi.dll5.0.14393.4530Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=4479EEB5C5400D4C084274BA015750FA,SHA256=6B30AE7147132038E603EEB2D35C35BB3D03EC5AFA560D31969E2D39A44ACDCDtrueMicrosoft WindowsValid 12241200x80000000000000005498138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.925{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005498117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.925{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1631130169933902700_9D425830-4259-4A22-8003-24667CAF6A57.log2021-09-08 19:42:49.925 11241100x80000000000000005498116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.925{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1631130169933370700_9D425830-4259-4A22-8003-24667CAF6A57.log2021-09-08 19:42:49.925 734700x80000000000000005498115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.925{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005498114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.925{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 734700x80000000000000005498113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.925{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x80000000000000005498112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.909{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19trueMicrosoft WindowsValid 734700x80000000000000005498111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.909{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 734700x80000000000000005498110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.909{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Security.Authentication.Web.Core.dll10.0.14393.4169 (rs1_release.210107-1130)Token Broker WinRT APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Security.Authentication.Web.Core.dllMD5=E3AB65431FF6EA142FECF301220904D0,SHA256=60F168A317109BA364699F1FA1A2DDD8E5B0008A16CD7F1DB80583848DFCA7CFtrueMicrosoft WindowsValid 734700x80000000000000005498109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.909{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 10341000x80000000000000005498108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.909{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005498107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.909{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\normaliz.dll10.0.14393.0 (rs1_release.160715-1616)Unicode Normalization DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnormaliz.dllMD5=65930A2C537774A8CBB0A1BE20266D51,SHA256=2879DECC03521C385C5D29381B002E7B70BB448BC2787D9C08174592C7D80BC8trueMicrosoft WindowsValid 12241200x80000000000000005498106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005498105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.894{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x80000000000000005498102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.706{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL16.0.13801.20796Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMSO.dllMD5=DEAB06C2DDF8959448455176D2A1754E,SHA256=49708B1D39D76B2E9F096B95BCB30B6601D3B5C8E1D84830740EC25FE8F38F39trueMicrosoft CorporationValid 10341000x80000000000000005498101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.894{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005498100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.894{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005498099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.894{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x80000000000000005498085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.894{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005498074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.894{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\DWrite.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=1875083243EE498D0B2BB6B025AD7520,SHA256=A3FA592126642537BF6F0E4E9750A43A899525FE616DE899ABD7F26A9E7620C4trueMicrosoft WindowsValid 13241300x80000000000000005498073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.831{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005498072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.831{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000005498071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.831{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005498070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.831{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\FlfgrzNccf\FuryyRkcrevraprUbfg_pj5a1u2gklrjl\FuryyRkcrevraprUbfg.rkrBinary Data 10341000x80000000000000005498069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.831{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005498068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.831{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005498067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.831{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005498066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.831{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 13241300x80000000000000005498065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.816{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\/qaBinary Data 12241200x80000000000000005498064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.816{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 10341000x80000000000000005498063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.816{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005498062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.800{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005498061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.800{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x80000000000000005498060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.800{4DF467A6-3F48-6132-1600-00000000F001}12481928C:\Windows\system32\svchost.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005498059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.800{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005498058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.800{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 11241100x80000000000000005498057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.800{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005498056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.800{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA28AD2319B29428D2D5640592AB6C82,SHA256=E607B068B21D47FE1EC38B159147882D3F6F27CFC459F716CC6D24346B2B2DF9falsetrue 11241100x80000000000000005498055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.753{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{9D425830-4259-4A22-8003-24667CAF6A57} - OProcSessId.dat2021-09-08 19:42:49.753 13241300x80000000000000005498054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.753{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000001) 13241300x80000000000000005498053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.753{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000002) 13241300x80000000000000005498052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.722{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6444\0Binary Data 12241200x80000000000000005498051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.722{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6444 734700x80000000000000005498050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.722{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 13241300x80000000000000005498049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:49.722{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling\0Binary Data 12241200x80000000000000005498048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.706{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005498042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.441{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid 12241200x80000000000000005498041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.597{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.441{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll16.0.13801.20808Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso98Win32Client.dllMD5=58F3352E3A0867817F759EA7940F2E10,SHA256=86AFDD63CFCA5B03D5265A2828F073CA401FE00B555B40AD9A0F7A193E200315trueMicrosoft CorporationValid 12241200x80000000000000005498021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.581{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005497998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.441{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 12241200x80000000000000005497997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.441{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005497996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.441{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005497995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.441{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005497994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005497993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A4FF0D5FD983BB20722A8D391F45487,SHA256=609BF0770E34556029E3A2667957F94CB3939183AA4A775D6D60DC319C6A6EE7falsetrue 12241200x80000000000000005497992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005497990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.253{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll16.0.13801.20442Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso50Win32Client.dllMD5=AF5E26C38079AF31CCAA732B6A351A0D,SHA256=C0BBDC787DCD21EF78B89B6C18C81A1ECC8F5B4D3C4E2F412525FD70039E667DtrueMicrosoft CorporationValid 12241200x80000000000000005497989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005497968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A02686CDE66F2F5B4A1902D15A7511,SHA256=8DBD7EBA486476BDDDE1078733AC46F3CC2561C2CEEF7600F9599E3B1E4CE909falsetrue 12241200x80000000000000005497966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005497965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.253{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmso40uiWin32Client.dllMD5=42CCB21CAB1B66AA9C7FF859A4BED97B,SHA256=76EFA67F0B7EA66DEAB42DB051DBCBA4B05EC04032B1D8AAE5E7761D7C6CA24FtrueMicrosoft CorporationValid 12241200x80000000000000005497964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005497941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005497940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.362{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93F727993AFF2E55A94E81C4F385A79,SHA256=F41B9A45B6495AFE84674F1B9E4DA824CC7B173976655F2C59A0DB3B738718DCfalsetrue 12241200x80000000000000005497939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005497938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.128{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso30Win32Client.dllMD5=F4FDCEA65C429F01EEC45163F005B5E3,SHA256=F3FF96E7EBF9E4BB43170456395F09C1DAB832B1F66EBFAFF5EF54344DB929D5trueMicrosoft CorporationValid 12241200x80000000000000005497937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005497910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 12241200x80000000000000005497909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005497886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 12241200x80000000000000005497885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005497861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\RstrtMgr.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Restart ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRstrtMgr.dllMD5=F14EA4521A8C000F1165581B5837355E,SHA256=6CB383C1FFB8AB7301B1666EEA83FD484EA049147C834725894652DB20D28359trueMicrosoft WindowsValid 12241200x80000000000000005497860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005497834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptui.dll10.0.14393.3321 (rs1_release.191016-1811)Microsoft Trust UI ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTUI.DLLMD5=7BA8C29986BA103E2353D405DCCB87D7,SHA256=E9FFD440B5318D65AC2A38125CC417C8F34C6344CA8D9251A8ABE74D14C518B8trueMicrosoft WindowsValid 12241200x80000000000000005497833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005497809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.019{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll16.0.13801.20840Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso20Win32Client.dllMD5=33E67D19ED73BD77FAB770F3677363E0,SHA256=3A7198AC7F995AE9FCA91372AFC3719C04417D638EE37EAA3162DE0A99F0F6B9trueMicrosoft CorporationValid 12241200x80000000000000005497808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005497783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_aec97a71ddd5fa56\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=D1F325FD8BA2F0AA9F853CB05DBDE6F6,SHA256=ED1FDCE716A2D5E0703DEBAE0E272BAA49C750B31773E9C0ADFCF5F9758F9350trueMicrosoft WindowsValid 12241200x80000000000000005497782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005497758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005497757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.956{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\OART.DLL16.0.13801.20688Microsoft OfficeArtMicrosoft OfficeMicrosoft CorporationOART.DLLMD5=A4816E74F5F4F3A1D9B6637EB47C8B23,SHA256=9447582F286D97A4707BB8A6847398637D742E5ED653804EE94E495E3E3BF339trueMicrosoft CorporationValid 12241200x80000000000000005497756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.159{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005497733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.128{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 12241200x80000000000000005497732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005497731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:48.831{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL16.0.13801.20854Microsoft WordMicrosoft OfficeMicrosoft Corporationwwlib.dllMD5=88AD4C5ED7EE51A82DDB8DF471E749B6,SHA256=E21BE93D40924965E74C6D1619F3C9AEE1FE09F535C8260B61387984DF55BC2DtrueMicrosoft CorporationValid 12241200x80000000000000005497730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005497729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005497728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005497727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005497725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005497711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005497710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005497709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005497708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005497707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005497706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005497705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000005497704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 11241100x80000000000000005499500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.816{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005499499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.816{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6AB677E097149389A4EF157CC8CA42,SHA256=A436640A1F850293CBDE74816850870E73ACCDFB64578D1635279F3FCDBF99F5falsetrue 11241100x80000000000000005499498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.784{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-08 15:57:53.428 11241100x80000000000000005499497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.784{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000005499496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.784{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000005499495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.784{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000005499494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.769{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000005499493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.769{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000005499492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.769{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000005499491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.769{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.769{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\38D0C2E4C74CC90BC46117B3DBC84AE1MD5=FF57CC1839AEC8D2798CF74CB0ED7D32,SHA256=6FE06986E40FB55BF19FB50F7C16332402DD4ABF17008FDFA876F96B7447788Afalsetrue 10341000x80000000000000005499489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.769{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.769{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\A0FC1244056019D179FA0CCAC0F7FCC6MD5=A0083045A7E7D70E4532C626A1FE8699,SHA256=45D6FB85C448FDB482C219A3CAE77DB1EE449ECC05C25B6B4EB02B4850074BE7falsetrue 10341000x80000000000000005499487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.769{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.769{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=92C0F84334C8FD124767CD29AEB8E034,SHA256=6945C36841CE5F9EC875AD1538CB85EBA0D87B15EB76C29E972F78702CB02C1Efalsetrue 10341000x80000000000000005499485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.753{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.753{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=DBC792E4BC04A6DCCFC309542278D4EA,SHA256=6665A2E7BE753392DB1236C120EA120960742EACB8344621794FE0D344DAF3C8falsetrue 10341000x80000000000000005499483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.753{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.753{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=A591DAB5A2310CD3731525B385D1396B,SHA256=4970545456F29EE3C1B3D4EE705ABCE1FC3B9CE453D931E79C71CE7C59A72806falsetrue 10341000x80000000000000005499481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.753{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.753{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=634DC7013B7C1AB6BD4F8CFC4A028709,SHA256=67012B4C280F05DA5DF7F151C5901F280BF806DF4556D733CC9B7E8C63B3E3C7falsetrue 10341000x80000000000000005499479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.753{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.753{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=32110EA4C0FFCA7491DC6DA4C6A6D384,SHA256=F72F0CF3EFA4F3B16615286335D472DFB7137E7974477ED83ECE6AFE620F3397falsetrue 10341000x80000000000000005499477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.753{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.753{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=8F4CCE9DBA04DC424099E2634AD06622,SHA256=8AAF9FF5A9B92D8A096E2ADFEE63385C8E671D151A8A36FA8DEFEE9234C593F8falsetrue 10341000x80000000000000005499475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.737{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.737{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=B28041A072279E255827662A1ECDD244,SHA256=11581F9780AEC46A1B39BC0B53262E72A07D6FCF1FD98BF50D7E8A5093BC4D83falsetrue 10341000x80000000000000005499473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.737{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.737{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=A0D01BEB7F9C32572DE80E8CF45BBEA8,SHA256=8CAED1C6192E6F6FA8B84F80A0C7C642A5FEAEC2D8B51925D67CE0718C208608falsetrue 10341000x80000000000000005499471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.737{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.737{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=2D0FD768107726ADE7B831150284AA1C,SHA256=99013ECDD953FA871BA5AC89C027D76419A4EF63AA2436747424E50A09ED605Afalsetrue 10341000x80000000000000005499469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.737{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.722{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=C77A6E9B27322245B3487E4844429CB8,SHA256=BAD01CB286E918D3188515DCB1E1AF61E7D49DB36C9FB28DE3126876A7A46053falsetrue 10341000x80000000000000005499467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.722{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.722{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=DA9DF9C31739CE2368749A89C8FB55A8,SHA256=B716219BF1B59B445323268FD9722A0753E3DD0D7E8851FF9DEC9070B79EB215falsetrue 10341000x80000000000000005499465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.722{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.722{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=60BD040488FB0BF141BCE4D698250114,SHA256=4C3A08508D62E384FD54FEBE151D3AF6E59E727F2BA980EC09E31072C9DBF6C3falsetrue 23542300x80000000000000001551288Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:50.382{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA173D23E3E9419945FB62B9C286CA1,SHA256=BC8A1A2C0C8AD293CD351EB91817A75B01BEE7E3499754D9308D2BCE1F964D77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005499463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.706{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.706{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=6B1A603152C6F5EE5D4F625B72A9FC9B,SHA256=CA6D567321C7181D934BA14664EAFB537AA82F5435F9EF297ECBBDB28541A1CCfalsetrue 10341000x80000000000000005499461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.706{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.706{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\0WIIYHJ8.cookieMD5=CE54959DB05E0EE9EB5B1D791C45CF9D,SHA256=671EF85BB84D73AD85730A2F3731596C78A51ACB5C3C42E15345323744A4E05Cfalsetrue 11241100x80000000000000005499459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.706{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\MQ4WNBJN.cookie2021-09-08 19:42:50.706 12241200x80000000000000005499458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:50.659{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency 12241200x80000000000000005499457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:50.659{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 12241200x80000000000000005499456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-08 19:42:50.659{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\&sa 354300x80000000000000005499455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:36.925{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49813-false10.0.1.12-8089- 13241300x80000000000000005499454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.519{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\Federation(Empty) 13241300x80000000000000005499453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.519{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\UserId877fd83f-3dba-4665-9010-4319bfad7aca_ADAL 13241300x80000000000000005499452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.519{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\IdentityTypeDWORD (0x00000004) 13241300x80000000000000005499451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.519{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\StartTime13275603770519 23542300x80000000000000005499450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.519{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\SR4F11L2.cookieMD5=D63ADFC92F59FC123EE7AFFCE2DDA408,SHA256=E6E269CB1EE7C9DE158FA14A2E17FB09CC521E1C3ACB24FA664164777B47210Ffalsetrue 11241100x80000000000000005499449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.519{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\0WIIYHJ8.cookie2021-09-08 19:42:50.519 11241100x80000000000000005499448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005499447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA27C561813A94F2B5AE3E4AA3A87A6,SHA256=F1245D3E4BFFFA3B6E7B9CB8691B019212085BAAA6AF55B1A946A3EB9C41FD04falsetrue 11241100x80000000000000005499446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005499445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CCD63285A26347493CF11728143C13C,SHA256=0CD10CBC100CD8E455FAF4C50707A6FF09959C754BBEFECE3E3B5162F6060487falsetrue 10341000x80000000000000005499444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.425{4DF467A6-1238-6139-BCD6-00000000F001}64446520C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52cbf|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52c5a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52bd6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+5259d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+467c9|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+7cbb3|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1e87dc|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005499443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.237{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628trueMicrosoft WindowsValid 12241200x80000000000000005499442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.237{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Globalization.dll10.0.14393.4467 (rs1_release.210604-1844)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=4D2537567A93ABF1D93CB7A7E76F954C,SHA256=5740181B56927C0DC66A6BCECA15EA2806A0ED471A01F785AD47C8C73A1DF85FtrueMicrosoft WindowsValid 12241200x80000000000000005499417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005499394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005499393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.409{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0413CA300F4B2DB2BCC1806A952D7E6,SHA256=1BECA6E0760032F79F5384EEC9CFC44056488FC66B4436D2F75D69589028277Cfalsetrue 12241200x80000000000000005499392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.409{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005499376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.206{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 12241200x80000000000000005499375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.394{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.206{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x80000000000000005499363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECBtrueMicrosoft WindowsValid 12241200x80000000000000005499336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.175{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 12241200x80000000000000005499311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 13241300x80000000000000005499300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.378{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6444\0Binary Data 12241200x80000000000000005499299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.378{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.144{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08trueMicrosoft WindowsValid 12241200x80000000000000005499283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.144{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI DC and DP functionalityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi.DLLMD5=BECC01CF48016043B5DC3D5477CC08CF,SHA256=449E882DBCD4DD25B8F10CD62623DCB15E5B6375B0699463506EA55886B7B9DAtrueMicrosoft WindowsValid 12241200x80000000000000005499256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.144{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2trueMicrosoft WindowsValid 12241200x80000000000000005499229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.362{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005499205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.347{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005499204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.144{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7trueMicrosoft WindowsValid 12241200x80000000000000005499201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005499178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.347{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005499177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.347{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001503E8\VirtualDesktopBinary Data 12241200x80000000000000005499176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001503E8 10341000x80000000000000005499175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.347{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005499174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005499173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.331{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\DocumentTemplateCache\en-US{F3E59A1F-4A71-4DC0-AF89-6FE234327150}\UpdateInProgressDWORD (0x00000000) 12241200x80000000000000005499172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005499171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.331{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\DocumentTemplateCache\en-US{F3E59A1F-4A71-4DC0-AF89-6FE234327150}\UpdateInProgressDWORD (0x00000002) 12241200x80000000000000005499170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:50.331{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\DocumentTemplateCache 12241200x80000000000000005499169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\DocumentTemplateCache 734700x80000000000000005499167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.112{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 12241200x80000000000000005499166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.331{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.097{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6trueMicrosoft WindowsValid 12241200x80000000000000005499139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-08 19:42:50.316{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\/qa 12241200x80000000000000005499138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005499115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.316{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x80000000000000005499114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.316{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6EtrueMicrosoft WindowsValid 11241100x80000000000000005499112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005499111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.316{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46653D4EDC2F4A9AC2823C45A6C5FF8,SHA256=18DB62A29327CE61C79D69BBACBD52D8E24A1285C730F9BF303AFDCA4BD739CEfalsetrue 12241200x80000000000000005499110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.081{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 12241200x80000000000000005499107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.316{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005499084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.300{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 12241200x80000000000000005499083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.081{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 12241200x80000000000000005499081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.300{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005499057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005499056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F91E726DDCCA4F3B11EED5110321DFA,SHA256=A3FF3EB3BC21EC849E85838EF7AF86E4D1E93117BDC2511274C5AB7117E83914falsetrue 13241300x80000000000000005499055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.253{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Tap\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\QFWarmUpLastUpdate2021-09-08T19:42:50Z 12241200x80000000000000005499054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DABtrueMicrosoft WindowsValid 12241200x80000000000000005499051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 12241200x80000000000000005499024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2trueMicrosoft WindowsValid 12241200x80000000000000005498997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.253{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.237{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDCtrueMicrosoft WindowsValid 12241200x80000000000000005498972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 12241200x80000000000000005498969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 12241200x80000000000000005498942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.237{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 12241200x80000000000000005498917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005498893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005498892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B4EBABEB3D4C49C980A50B3B6DB5CB,SHA256=338F907E5BC1290FB8F452B835AF43AE8890CA7FBB640D9B078703A09E9BA8D4falsetrue 12241200x80000000000000005498891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.987{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x80000000000000005498888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 12241200x80000000000000005498887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005498863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.206{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005498862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.206{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005498861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.206{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005498860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.206{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005498859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.206{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 13241300x80000000000000005498858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.206{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings\MuiCache\115\52C64B7E\LanguageListBinary Data 12241200x80000000000000005498857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 12241200x80000000000000005498854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.206{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000005498831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\&saBinary Data 12241200x80000000000000005498830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x80000000000000005498828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.097{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 12241200x80000000000000005498827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x80000000000000005498800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 12241200x80000000000000005498799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.191{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x80000000000000005498772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.097{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x80000000000000005498771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.175{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005498747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.175{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 12241200x80000000000000005498746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 18141800x80000000000000005498745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:42:50.175{4DF467A6-1238-6139-BCD6-00000000F001}6444\wkssvcC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 12241200x80000000000000005498744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.175{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 12241200x80000000000000005498742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.956{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL16.0.13801.20442RichEdit Version 8.0Microsoft OfficeMicrosoft Corporationriched20.dllMD5=4AADCAFE0937BFDD2C0E089B37549CD7,SHA256=8D12811470721C2A4775AE2CF2B236C5E16FD4215D70E63C768BD9F4ADBC364AtrueMicrosoft CorporationValid 11241100x80000000000000005498740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005498739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.175{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101BB5C1B15B516B0E925A3DD137BEB1,SHA256=C40AE9416AEC65C03A67CA8D42E583C0B39187AB37009CDA78AA32451590F674falsetrue 12241200x80000000000000005498738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.175{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.159{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000005498714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.159{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5AtrueMicrosoft WindowsValid 734700x80000000000000005498713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.159{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dsreg.dll10.0.14393.4467 (rs1_release.210604-1844)AD/AAD User Device RegistrationMicrosoft® Windows® Operating SystemMicrosoft Corporationdsreg.dllMD5=79A9D7EA2FEAEF86876FFD1B6D1CB6C1,SHA256=A1BA47F25235AA03E37B420DA61B68E1F3165A590B15AAC43894613A88250018trueMicrosoft WindowsValid 734700x80000000000000005498712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.159{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\twinapi.dll10.0.14393.4169 (rs1_release.210107-1130)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=40E4471EAFBC1AB4D40288BF005AB895,SHA256=E93454095918346B3426D55704F02DF6FBB1B840BF969CE619E3F10BA0AC9A44trueMicrosoft WindowsValid 734700x80000000000000005498711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.159{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005498710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.159{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 13241300x80000000000000005498709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.159{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 734700x80000000000000005498708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.159{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 13241300x80000000000000005498707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.159{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000005498706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.159{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x80000000000000005498705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.159{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005498704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.159{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 734700x80000000000000005498703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.159{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11trueMicrosoft WindowsValid 734700x80000000000000005498702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.144{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADAL.DLL3.4.1.35249ADAL.NativeMicrosoft© ADALMicrosoftadal.dllMD5=83940B529D140372B1FF153CF83E478D,SHA256=1D246C806D9F170AAC09E8AA3507553B7833BA2067B81150588444B3C93BAADBtrueMicrosoft CorporationValid 12241200x80000000000000005498701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000005498696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.925{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 12241200x80000000000000005498695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 10341000x80000000000000005498694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.144{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005498693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 10341000x80000000000000005498691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.144{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005498690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.144{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x80000000000000005498672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-08 19:42:50.144{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\)ra 734700x80000000000000005498669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.909{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920trueMicrosoft WindowsValid 12241200x80000000000000005498668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.144{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 12241200x80000000000000005498644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005498641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.144{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CBD03B58-1AF6-4296-A029-AC9E6257568D}.tmp2021-09-08 19:42:50.128 12241200x80000000000000005498640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005498638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.894{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686EtrueMicrosoft WindowsValid 12241200x80000000000000005498637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.128{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msxml6.dll6.30.14393.4530MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=10A0259030F41545ECAFB6A595F7C457,SHA256=CF160C3ADCE5AA2357697A02C6FC38071CBE1818B036F1C67F746868EB7F814DtrueMicrosoft WindowsValid 12241200x80000000000000005498615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000005498611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.878{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7EtrueMicrosoft WindowsValid 12241200x80000000000000005498610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.128{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exeHKCR 11241100x80000000000000005498587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005498586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.112{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDC5A21CF7A10D2B16A5F1007971C72,SHA256=1BB4F45E5C736F58275D018E3F98D51420A5A531DBEF5AD4C8B6C4CCE1BAFCD9falsetrue 10341000x80000000000000005498585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.112{4DF467A6-3F48-6132-1600-00000000F001}12486032C:\Windows\system32\svchost.exe{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005498584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.112{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\38D0C2E4C74CC90BC46117B3DBC84AE12021-09-08 15:58:41.797 12241200x80000000000000005498583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000005498575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.862{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9DtrueMicrosoft WindowsValid 12241200x80000000000000005498574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.112{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.112{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 11241100x80000000000000005498557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.112{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\A0FC1244056019D179FA0CCAC0F7FCC62021-09-08 15:58:34.775 734700x80000000000000005498556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.097{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005498555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.097{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 734700x80000000000000005498554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.097{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 11241100x80000000000000005498553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.097{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49F2021-09-08 15:58:13.696 734700x80000000000000005498552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.097{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 11241100x80000000000000005498551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.097{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-08 15:58:12.555 11241100x80000000000000005498550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.097{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm2021-09-08 19:42:50.097 10341000x80000000000000005498549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.097{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005498548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.097{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 13241300x80000000000000005498547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.081{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 734700x80000000000000005498546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.081{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000005498545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.081{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005498544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.081{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 12241200x80000000000000005498543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005498539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.862{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d11.dll10.0.14393.4467 (rs1_release.210604-1844)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=F940A91B13592184F228ECC14D8D9358,SHA256=2BC05A4D09CDBAB8DB5F767DC95F31B2CA324928A94F004C7C2968E3E9E635E2trueMicrosoft WindowsValid 12241200x80000000000000005498538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.081{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 12241200x80000000000000005498518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.081{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005498517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.081{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-08 15:57:54.225 11241100x80000000000000005498516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.081{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-08 15:57:54.225 734700x80000000000000005498515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.066{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 11241100x80000000000000005498514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-08 15:57:53.678 734700x80000000000000005498513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.066{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005498512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.066{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 11241100x80000000000000005498511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.066{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-08 15:57:53.678 13241300x80000000000000005498510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.066{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\)raBinary Data 11241100x80000000000000005498509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-08 15:57:53.428 734700x80000000000000005498508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 12241200x80000000000000005498507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x80000000000000005498506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000005498505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 12241200x80000000000000005498504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x80000000000000005498502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000005498501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 12241200x80000000000000005498500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000005498497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.847{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10_1core.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1Core.dllMD5=AD41EACFB2A670E17F2C09F8AB06F428,SHA256=208B4CF05936AC21EB0337FB17B1B8F12D778A6E880435C589202457EB0CF73EtrueMicrosoft WindowsValid 12241200x80000000000000005498496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005498475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 11241100x80000000000000005498474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 12241200x80000000000000005498473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005498472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005498471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005498470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 10341000x80000000000000005498469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-3F48-6132-1100-00000000F001}3601648C:\Windows\system32\svchost.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005498468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000005498467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000005498466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000005498465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 13241300x80000000000000005498464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000005498463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000005498462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000005498461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 13241300x80000000000000005498460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000005498459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000005498458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000005498457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.050{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 12241200x80000000000000005498456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000005498444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.847{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10_1.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1.dllMD5=9945D52ACD8FED11F0A636F916C4FF16,SHA256=97C5A99ED38F8516133D6B95070C5998BAAE75EAEF730531D91B81FEE4B81D82trueMicrosoft WindowsValid 12241200x80000000000000005498443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 12241200x80000000000000005498439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.050{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.050{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005498428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005498427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005498426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005498425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005498424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x80000000000000005498423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005498422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 12241200x80000000000000005498421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005498420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 734700x80000000000000005498419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x80000000000000005498418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005498417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005498416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005498415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005498414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005498413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 154100x80000000000000005498412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.003{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{4DF467A6-3F47-6132-E403-000000000000}0x3e40SystemMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2{4DF467A6-3F47-6132-0C00-00000000F001}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 12241200x80000000000000005498411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.831{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 734700x80000000000000005498408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.972{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 12241200x80000000000000005498407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005498384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 11241100x80000000000000005498383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 12241200x80000000000000005498382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x80000000000000005498380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 11241100x80000000000000005498379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.034{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 12241200x80000000000000005498378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.831{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885trueMicrosoft WindowsValid 12241200x80000000000000005498375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.034{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005498351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\38D0C2E4C74CC90BC46117B3DBC84AE1MD5=FB9B970AECD9A012EC66C3C21CB3D590,SHA256=1EC1D771D27A7091254ED84E0143C122E5959733BE52D29767152B2BAA315C46falsetrue 10341000x80000000000000005498349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005498348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005498347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\A0FC1244056019D179FA0CCAC0F7FCC6MD5=2FC2CB03F27B2EA9908E9E47ED8C129E,SHA256=E373055E564C0DD9C61B55EBA75B3CBC8B16125158A67E99E0B054BB909F9A15falsetrue 13241300x80000000000000005498345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.019{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\SessionIdBinary Data 12241200x80000000000000005498344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005498342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000005498340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.816{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AEtrueMicrosoft WindowsValid 12241200x80000000000000005498339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005498318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\4931371A19CF250537D00E82E2ACC49FMD5=E70D84FCEFD12D26A5C2883D2F822C2B,SHA256=7F2C14F1827D7ECF513824523E5BCCBBAD8DC8CAA683DBDD1E659CC6EDDD9E46falsetrue 12241200x80000000000000005498316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteValue2021-09-08 19:42:50.019{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\PotentialDataLossInfo2 11241100x80000000000000005498315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 12241200x80000000000000005498314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005498313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD12983DE958D8455125BF7458B6DF73,SHA256=38A005B98F23288DD8053D22DDDBCFD5DF97082517FC9E03F5145ED020070B18falsetrue 734700x80000000000000005498311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.816{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid 23542300x80000000000000005498310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=C8596AF6F22F4AE2D27DE8561D8565AF,SHA256=BC66EB643A0AB83983436E79FE7AC7945C21C11400945AE05772B77BB5C66ECBfalsetrue 12241200x80000000000000005498309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000005498286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.019{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000005498285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.019{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities2086 15,1074 15,2413 15,827 15,134 15,2402 15,129 15,1001 15,2159 10,103 15,2324 15,185 15,1000 15,121 15,2401 15,1445 15,1338 50,951 15,1338 10,999 15,226 15,1282 50,831 15,1282 10,1338 15,2430 15,1282 15,132 15,1128 15,2328 15,2087 15,850 15,998 15,1039 15,828 15,2323 15,108 15,829 15,2088 15,335 15,830 15,1255 15,974 15,1249 15,670 15,671 15,1002 15,111 15,332 15,669 15,291 15,1249 10,70 50,2327 15,120 15,184 15,2325 15,2326 15,2329 15,116 15,2403 15,2404 15,2405 15,1209 15,2406 15,334 15,2407 15,1221 15,2408 15,2409 15,2410 15,1443 15,2415 15,937 15,1204 15,2411 15,2412 15,2416 15,2424 15,159 15,109 15,2414 15,2417 15,2418 15,133 15,318 15,160 15,2419 15,114 15,107 15,2420 15,2421 15,131 15,2422 15,2423 15,104 15,102 15,2425 15,2426 15,2427 15,112 15,117 15,106 15,1444 15,115 15,118 15,101 15,2322 15,113 15,105 15,123 15,2428 15,2429 15,2431 15,2432 15,125 15,333 15,331 15,2225 15,336 15,128 15,124 15,100 15,2433 15,1007 15,110 15,2434 15,1446 15,2435 15,2436 15,122 15,1373 15,2437 15,127 15,119 15,1008 15,2438 15,969 15,2439 15,126 15,130 15,1584 50,2159 6 10341000x80000000000000005498284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.019{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005498283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.019{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,22561229,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000005498282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds019677900,24131419,34968335,8758344,17134338,20039442,18409363,21378256,40920709,19200086,19972417,51655840,17634580,18658649,18375312,23979203,18658648,17698823,17183040,19677907,34968340,18948503,18658650,17650967,21378211,18637650,18674530,9319450,17126295,18948102,21313610,18409416,18948101,36517339,17634578,18400089,36761792,21030802,21378249,20979747,34968342,34968338,50890251,34968337,34968339,24470607,8448079,6366290,38013077,34968341,7690258,34968589,36274763,17182941,24406167,20027008,17182979,20027009,9176926,23205313,7690254,5850584,8263521,17622912,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077,19200081,25036313 12241200x80000000000000005498281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 23542300x80000000000000005498280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.003{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=3947FAC3F192C1BE37BB21CB90DE6D67,SHA256=29D7B6BD9BA3D8B14B833C84776114175F785B9D2D482D39B0F96D5CF1B3A580falsetrue 13241300x80000000000000005498279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 12241200x80000000000000005498278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000005498277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 13241300x80000000000000005498276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000005498275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000005498274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000005498273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000005498272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000005498271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000005498270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000005498269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\2DWORD (0x00000000) 12241200x80000000000000005498268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000005498267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000005498266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000005498265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000005498264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000005498263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000005498262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000005498261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000005498260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000005498259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000005498258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000005498257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 10341000x80000000000000005498256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.003{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005498255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 23542300x80000000000000005498254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.003{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=404296727499D10B11B0EFD9BAAEF01C,SHA256=9BD491BB8F1209A5EDDEEEA8E51ED76474564F3A28B6908F3BF00604B49D233Dfalsetrue 12241200x80000000000000005498253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 12241200x80000000000000005498252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005498251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.800{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 12241200x80000000000000005498250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005498227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.003{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.003{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=353EFC956B4E6D12C01179554C5E96E2,SHA256=A2334A605777851E9A4867D57A88A5D48055EA3B0769B850BF3900150CEF7D53falsetrue 734700x80000000000000005498225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.003{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLL16.0.13801.20178Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmsptls.dllMD5=53C631125C4AB3BFA9F7DB70B4B02EFA,SHA256=4F0593A374FE614EBBFAB37A9C39515D695ABA2EF3ADDD72BD912A83426789FEtrueMicrosoft CorporationValid 10341000x80000000000000005498224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.003{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005498223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 23542300x80000000000000005498222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.003{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=10A4442119B2A3C08E3EC80887AFFB23,SHA256=1ECF372576CE9BA68E2EB48F606E6076AC2941E9FD8F07DAA759052CC94F746Afalsetrue 734700x80000000000000005498221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.800{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187EtrueMicrosoft WindowsValid 12241200x80000000000000005498220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005498219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005498218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005498217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005498215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005498201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005498200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005498199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005498198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:50.003{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005498197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.987{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005498196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.987{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005498195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.987{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000005498194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.987{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005498193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.987{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005498192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.987{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=69B9A2BF25F92E861DB733B3D4F89114,SHA256=DCF54B84DC552C5F6F069E983E21F5B0DAAB6ABF8609B7CB160943AF07B856D2falsetrue 12241200x80000000000000005498191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.987{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005498190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.987{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005498189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.987{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005498188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.987{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000005498187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:49.987{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 23542300x80000000000000001551289Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:51.383{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A46E2065C566BB6A83F8C9FF2C79A1,SHA256=AA82CC86B7B0FB9958D869E34242EF85A6C0A6BF0C0408BF3F0AB985EF42AB12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005499781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=FCBB6080CBA047D7FB74AAFC973AA392,SHA256=B4160CEAD0057B2823C44EA8CD7C690BEFFE3F1793DA03EDFEE967870011F46Bfalsetrue 10341000x80000000000000005499779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=ED1F99889289153598043F3C464FAE72,SHA256=D9A9DC2283A0113C09670EE9597BC12BF064F4BCB8743D4FE1BC96738D705216falsetrue 10341000x80000000000000005499777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=24532C2C4AE874F595979F305AF1E91B,SHA256=4CCF769AE69A82804C6BBF7C9D41749B57432F4F7F56E305082655FC0FD0595Bfalsetrue 10341000x80000000000000005499775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=BA55BF713EEBECF4154D4CF7CC28C6FB,SHA256=179D07980A92D5DDB5CDE21B403B9270037A0AF7A21D36B7CBEC5B8D90E25178falsetrue 10341000x80000000000000005499773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.972{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=131E9EB674CDF6B4F16E7A2D834DE524,SHA256=516551C1958B6C60B2BAE26E99FC2851F1465DB0AA40C18A1BBA7D26B16EC1CEfalsetrue 10341000x80000000000000005499771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.972{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.972{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=D32C6FCD913F3D5437B9CC24EBED5F3B,SHA256=0441C5E0D824637608642560675E5866F5F79F93E5397620107466B60CCDAE5Dfalsetrue 10341000x80000000000000005499769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.972{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.972{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=D1A8C874A8F6BD55DD173E332D1341C9,SHA256=EAF96D02A97039B992A973CF924A4EBF897117E51150E71DC7184FADE04668B9falsetrue 10341000x80000000000000005499767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.972{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.972{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=C7D9896C7AC5D6943E99934027319045,SHA256=7677BC0A30283DFA7EF27142206CC6CFEFC4DCFA411C11E5D05FC66ED45DD259falsetrue 10341000x80000000000000005499765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.972{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.972{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=37AE14F67DFC7293610AEEA3F6AEEF26,SHA256=D2F35DF6271991CF89022A355261A6C4039EB338BCD4FF62D9A00E37465CA303falsetrue 10341000x80000000000000005499763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.957{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.957{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=956EA819556DD2E528B14D30EEA46C01,SHA256=C56386FC25956D892E6815EF77164B5FEB9F40D3972AADD43ED88EFF770D6207falsetrue 10341000x80000000000000005499761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.957{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.957{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\6ATLVMN7.cookieMD5=E879B59F5A7A0AE8FCA7F427A80DE6B9,SHA256=67C5714B6AADD533DF8D58B55181B84B08420AC9962CE9D179E659622ACB7D93falsetrue 11241100x80000000000000005499759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.957{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\996MABNW.cookie2021-09-08 19:42:51.957 22542200x80000000000000005499758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.646{4DF467A6-1238-6139-BCD6-00000000F001}6444outlook.office.com0type: 5 substrate.office.com;type: 5 outlook.ha.office365.com;type: 5 outlook.ms-acdc.office.com;type: 5 EAT-efz.ms-acdc.office.com;::ffff:52.96.166.34;::ffff:40.97.117.226;::ffff:40.97.134.178;::ffff:40.97.162.98;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005499757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.926{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000005499756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.644{4DF467A6-1238-6139-BCD6-00000000F001}6444outlook.office.com0type: 5 substrate.office.com;type: 5 outlook.ha.office365.com;type: 5 outlook.ms-acdc.office.com;type: 5 EAT-efz.ms-acdc.office.com;::ffff:52.96.166.34;::ffff:40.97.117.226;::ffff:40.97.134.178;::ffff:40.97.162.98;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005499755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.926{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000005499754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.601{4DF467A6-1238-6139-BCD6-00000000F001}6444support.content.office.net0type: 5 support.content.office.net.edgekey.net;type: 5 e584.g.akamaiedge.net;::ffff:23.60.72.96;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005499753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.926{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005499752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005499751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D64FA92E2B1931EE927FED764A05D6,SHA256=07E8EE39290BC9895C7C3E0C1D83C761EC6F695A64F450AAEDD1DFC47B886575falsetrue 734700x80000000000000005499750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 12241200x80000000000000005499749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.894{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptxml.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)XML DigSig APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptxml.dllMD5=2D8B5120841F9D57D81B417B8033051F,SHA256=10896E3FBB656A1FD76CB636510A8501B12068C653BC27FAA4DD8DC89ED7AE4AtrueMicrosoft WindowsValid 12241200x80000000000000005499724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.832{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppsvc.exe10.0.14393.4530 (rs1_release.210705-0736)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeMD5=280B8B6A6CD8A833284EA11425EE5396,SHA256=FD9A147C6649AC20CBC7C74DC431866468D2E4183ED7B876F7E336382DCC6A40trueMicrosoft WindowsValid 12241200x80000000000000005499699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.879{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.863{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\system32\sppsvc.exeHKLM\SYSTEM\WPA 13241300x80000000000000005499675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:51.863{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\system32\sppsvc.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ServiceSessionIdBinary Data 734700x80000000000000005499674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.863{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 11241100x80000000000000005499673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.863{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005499672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.863{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BDB3B9D86BE7D2104B9815457C2A6273,SHA256=4F5061BCF0B5F7A307C6E8CA0286D812645B55D101DE8AC7FBB2D6503059917Ffalsetrue 734700x80000000000000005499671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.863{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 11241100x80000000000000005499670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.863{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005499669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.863{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7C762ADF67BEDBFE7C05CF25B4069119,SHA256=2CFA2A3951235CF8311DA992AA61182926F0CC5952E18BEC12D633C8413221B7falsetrue 734700x80000000000000005499668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.863{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 10341000x80000000000000005499667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.863{4DF467A6-3F46-6132-0A00-00000000F001}6207644C:\Windows\system32\services.exe{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005499666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.863{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005499665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.863{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005499664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.863{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000005499663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000005499662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005499661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005499660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005499659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005499658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005499657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005499656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 11241100x80000000000000005499655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-US2021-09-08 15:57:53.819 23542300x80000000000000005499654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-1238-6139-BCD6-00000000F001}6444ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-USMD5=D751713988987E9331980363E24189CE,SHA256=4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945falsetrue 734700x80000000000000005499653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005499652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005499651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005499650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005499649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000005499648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005499647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005499646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.847{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005499645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.832{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005499644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.832{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005499643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.832{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005499642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.832{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005499641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.832{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005499640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.832{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000005499639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.832{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.832{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x80000000000000005499637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.832{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005499636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.832{4DF467A6-3F46-6132-0A00-00000000F001}6207636C:\Windows\system32\services.exe{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005499635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.767{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exe10.0.14393.4530 (rs1_release.210705-0736)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICE{4DF467A6-3F47-6132-E403-000000000000}0x3e40SystemMD5=280B8B6A6CD8A833284EA11425EE5396,SHA256=FD9A147C6649AC20CBC7C74DC431866468D2E4183ED7B876F7E336382DCC6A40{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000005499634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.754{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005499633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.754{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005499632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.754{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005499631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.754{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-08 15:57:54.225 11241100x80000000000000005499630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.754{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-08 15:57:53.678 11241100x80000000000000005499629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.738{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-08 15:57:53.678 11241100x80000000000000005499628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.738{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-08 15:57:53.428 11241100x80000000000000005499627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.738{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000005499626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.738{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000005499625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000005499624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000005499623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005499622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA385628481ECAB080398FF5B3DBC12,SHA256=485F77BFBFE2CFB7E3425D5CFB16F558F119780B0C33E51CE2FC486DBE0EA237falsetrue 11241100x80000000000000005499621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000005499620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 11241100x80000000000000005499619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005499618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055842405E351C2AE340F074D1106346,SHA256=05F3E9999B8C6F6B985F23716B8ED503AA01ABBBF5EAA6B6E5BFE7E97C45E9ADfalsetrue 10341000x80000000000000005499617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=83FF2C831F2454A0A20D4E66F73640FB,SHA256=4F3128A922D559F54A7FD5295E41F1667941241F3251E0376809235776B3C810falsetrue 10341000x80000000000000005499615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.722{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=BECFE678B46322C481B4CF0CD4C8DB84,SHA256=6578889000B24CD4FBB88640E9D9A567BAC27EDF19C861A033D17FA2EFF7E842falsetrue 10341000x80000000000000005499613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.707{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.707{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=370F6DBE2613C408167F4B62F50CBA06,SHA256=05E12D757D726BA43058FA9D2879B442FB42D4D1923F26212BAB8704219CF6CFfalsetrue 10341000x80000000000000005499611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.707{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.707{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=3B716E1B1A44D146EDF01CB2063FAE93,SHA256=BD6F42914AB099151628ECC047B650140973668AFEF974729FEAFD42D9A2C257falsetrue 10341000x80000000000000005499609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.707{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.707{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=25C502C96FEC831637B7528163C9AE53,SHA256=2E7E4E2CD981F5DA472841B37A5A925FA72C04BAF946EB4775A140E227CE8E8Afalsetrue 10341000x80000000000000005499607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.707{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.707{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=374DF57877112187DD04BF14FB835BE8,SHA256=70D980EFE09C28DE5D705D0B9EE4848B0F397AD865D51BFDE4A03294BD0ADC51falsetrue 10341000x80000000000000005499605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.707{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.707{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=3D0937036B301D5441C5B29249AB9D8C,SHA256=D4DD324EBF97B8E8F92C0408061D60085AAB2482AE3FD946A493A090769CCB7Bfalsetrue 10341000x80000000000000005499603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.691{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.691{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=F3074F3858791F8409D5BE59D0A3D27E,SHA256=AD939D960B9C3369EAC6CAB96616143C8AEB0EFC0F44855F5F46D89F8FA35B49falsetrue 10341000x80000000000000005499601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.691{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.691{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=536B9F1D17F1978B4F5E4FBA67692D0A,SHA256=B662A033336631E8A68716B0D1E5DA5C6BF9E753982C41DCC1DB5AA884E84F05falsetrue 10341000x80000000000000005499599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.691{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.691{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\AIULOKSU.cookieMD5=7D391F5A1ACC4515AF76F15904BA6121,SHA256=F37A33557CCD5BD80910B4C5F40BE77CA8C88A985EA5C13E27D2C0A08B36FD64falsetrue 11241100x80000000000000005499597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.691{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\6ATLVMN7.cookie2021-09-08 19:42:51.691 354300x80000000000000005499596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.666{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51978- 354300x80000000000000005499595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.407{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49815-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000005499594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.407{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49815-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49666- 354300x80000000000000005499593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.407{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49814-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005499592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.407{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49814-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 11241100x80000000000000005499591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005499590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3582022DF49A631D8E23669AB7A88D0,SHA256=E90A9C7450BE1A3D7DC5C8C880681EDD57F988C530BE664BD17C89034B507B46falsetrue 11241100x80000000000000005499589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.519{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-08 15:57:53.678 11241100x80000000000000005499588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.519{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-08 15:57:53.678 11241100x80000000000000005499587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.504{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-08 15:57:53.428 11241100x80000000000000005499586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.504{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000005499585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.504{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000005499584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.504{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000005499583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.488{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000005499582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.488{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000005499581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.488{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000005499580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.488{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.488{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=91F5948EFEE11156F6AE8A43CF66EBBC,SHA256=53C124507D09A64676C16EFD48EB14C434AA5D4EB78FDDA5B261B89E60036AB1falsetrue 10341000x80000000000000005499578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.488{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.488{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=875894EE9636502B2B86297CB19DAF6E,SHA256=0B5FC30848621F6BF1216C0D90CA0BBE84068DFB86FC4B884A52E9DA7557902Efalsetrue 10341000x80000000000000005499576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.488{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.488{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=2F7D5149F1E8B3859E8BAB89F2143EC8,SHA256=792E1994DE90A4D2B9CD154A2518839F5204FBA09C48C463B8DB45FE1C895652falsetrue 10341000x80000000000000005499574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.488{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.488{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=3E77E17070FD2E67F0A586DA126346F2,SHA256=96C64772F0FA997F64EEE05571CA811FA962D2A0EA42319D909A2CCC32C71180falsetrue 10341000x80000000000000005499572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.472{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.472{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=D09D29942B08C8A726ED5C1A4CB714AB,SHA256=F528073A34DA20D8DE95E0B15B16BF5829476669CB266381D158772B833366D1falsetrue 10341000x80000000000000005499570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.472{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.472{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=09C142A98B49E974C1B592D278662B04,SHA256=17431072464EF2F91F9308138CBD0E4BE2033948DED44203F94FDA4F63EF3EACfalsetrue 10341000x80000000000000005499568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.472{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.472{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=D1009F1DEB3B0A55173713774B4A383B,SHA256=8DE1D9287FA33D3C92C11DBBA07F69DA1AC00C5FAAC060E0F209DF3EF9FE1E60falsetrue 10341000x80000000000000005499566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.472{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.472{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=099C4BB12122862988A439182FF0E44C,SHA256=52DDA73CA110B88C3EEEEEE23E27EB11FD8B1758F2D75D20AA5401D4220347A8falsetrue 10341000x80000000000000005499564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.457{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.457{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=8C914411C81035261F25FAE7A8A8DBA0,SHA256=50510D230636CC480482B503B7E85EA05A26A8D774F1A60267AD897F00129622falsetrue 10341000x80000000000000005499562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.457{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.457{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\6KNDCM8W.cookieMD5=39EA93CC7ABE2205F50873B594B50674,SHA256=3BF14589F3E68D1F40AC0766986F0A945C0E66E3B514E2A6327CD114CD2D7FC4falsetrue 11241100x80000000000000005499560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.457{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\AIULOKSU.cookie2021-09-08 19:42:51.457 11241100x80000000000000005499559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.441{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\DocumentsSharedWithMe_en-US2021-09-08 15:57:56.538 23542300x80000000000000005499558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.441{4DF467A6-1238-6139-BCD6-00000000F001}6444ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\DocumentsSharedWithMe_en-USMD5=D751713988987E9331980363E24189CE,SHA256=4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945falsetrue 11241100x80000000000000005499557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005499556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.441{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE01F20B502E5E6F1456F5B8280F610,SHA256=A70FBDE20395EBFBB1EEF2010707D972A414C5D7EDEC5F7E9207026A03C9B6A6falsetrue 11241100x80000000000000005499555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.269{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-08 15:57:53.678 11241100x80000000000000005499554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.254{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-08 15:57:53.678 11241100x80000000000000005499553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.254{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-08 15:57:53.428 11241100x80000000000000005499552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.254{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000005499551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.254{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000005499550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.238{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Documents_en-US2021-09-08 15:57:53.835 23542300x80000000000000005499549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.238{4DF467A6-1238-6139-BCD6-00000000F001}6444ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Documents_en-USMD5=D751713988987E9331980363E24189CE,SHA256=4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945falsetrue 11241100x80000000000000005499548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.238{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000005499547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.238{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000005499546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.238{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000005499545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.238{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000005499544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.238{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.238{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=7D0F1A4691771FA27EC784628DF64F40,SHA256=2B7DCF8511DACB7D2690C94AA3FB2B9A6BC70DF220F034AC82E07F9B40D33625falsetrue 10341000x80000000000000005499542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.238{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.238{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=7BC5C8ABDA064E6E509DDDBB2015572A,SHA256=057E41B3F397970EB5DD8CE8D07AFA0BEBC02CD1298B641DA91EF73487BDAFCCfalsetrue 10341000x80000000000000005499540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.222{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.222{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=71EB4330DE3A5D45FC5D42D44D822EB5,SHA256=37A267FF93AF06897A49EFC64E580B18A7E9C98C8F049941BC03AE840A05AD4Ffalsetrue 10341000x80000000000000005499538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.222{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.222{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=D5F4CD6EC39A6E6ECF1FAE7A98CEEDFA,SHA256=2EBA32D1D04264CDEFBE94A042F3B33A078131A812EA32AD61CD9BA2D459ED32falsetrue 10341000x80000000000000005499536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.222{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.222{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=9DA0397F36385F7513D1DEF35E6D0904,SHA256=596063F1BE6C2D3193DFC75240811C2799838C35184F7601B3A6C142AD7CD311falsetrue 10341000x80000000000000005499534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.222{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.222{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=2B4167A546FC375A3CFC121457EA2072,SHA256=623920DB1594A68D49EBA8B067EB1E9DD78813222EB0E706CE5A73B5FA880858falsetrue 10341000x80000000000000005499532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.222{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.222{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=7076C4AE06335973911FA7CB678403CA,SHA256=7F88CB3C32CC415AC8B71BC9DB926D954DD3ABD797781AD225D7635E9727472Cfalsetrue 10341000x80000000000000005499530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.207{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.207{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=68A60153ECC19A23E382D1F1B917DD63,SHA256=A76DE151BE813DD3ED5F713924F61D0DD73FFE5AED7DBF787EDF044C2DFA399Cfalsetrue 10341000x80000000000000005499528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.207{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.207{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\OGI2B5YV.cookieMD5=B6941D61320294F6A124C39BE569EE42,SHA256=959711D427C2679EBDF7743AA86993F53274E5C55E961BA07DC4410A9DF0FF08falsetrue 11241100x80000000000000005499526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.207{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\6KNDCM8W.cookie2021-09-08 19:42:51.207 11241100x80000000000000005499525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.051{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-08 15:57:53.678 11241100x80000000000000005499524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.051{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-08 15:57:53.428 11241100x80000000000000005499523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.035{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000005499522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.035{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000005499521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.035{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000005499520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.035{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000005499519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000005499518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000005499517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=677420731743C972A5992D8EEDED76E9,SHA256=578BD6EADB7CE342B6BF3E907583A8316C8646C95681CCB535FA6F45732C235Ffalsetrue 10341000x80000000000000005499515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=0E866AD9254058B7B8D3DAD60296287C,SHA256=E1006F9EB37DF9F01D5C2FDC475F76D21DA2B83781602ABF47BE0131F0AD2E1Bfalsetrue 10341000x80000000000000005499513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=86D74F9BA0AD88BF1D198603FE369B0E,SHA256=1C5A7CB9E511042AC9D97546E4AB37AB89FFEE431341044BE8540EE053096ACCfalsetrue 10341000x80000000000000005499511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=CBFB18C03A7ED9B44390AE151370957C,SHA256=E4C56424A8FDFD8CC5E3984225BE9F8DDA554D28BEF3EA697A42F70E7898002Ffalsetrue 10341000x80000000000000005499509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.019{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=CB4EE4E802202F85A7CA083530E42547,SHA256=42D0420E54CA5792A80953DE3115B60449832C916CC804570C1A408594A16B47falsetrue 10341000x80000000000000005499507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.004{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.004{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=14F4500186A369436AD7F254B9C37120,SHA256=6CF84A915915B54BE5E22F65D15A37C07FBA1184459EE879A7CD7691237F1258falsetrue 10341000x80000000000000005499505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.004{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.004{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=7ABE979C6B627A6FD4FE8650B75C6463,SHA256=0066AAF9B96BC59556B8AFAB54997CE47B9905625B6A4EF855AE4FF952209844falsetrue 10341000x80000000000000005499503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.004{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.004{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\MQ4WNBJN.cookieMD5=CDF590DA12BFC4807B656ADF151690E2,SHA256=FE70DA8804F8FFDEB604BAC4FEB5F62655664EE052A1012E3D9A6C7E00449971falsetrue 11241100x80000000000000005499501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.004{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\OGI2B5YV.cookie2021-09-08 19:42:51.004 11241100x80000000000000005500113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.988{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.988{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E1FE47CA164DA13F2D7ACEA65336EE,SHA256=1278D8CF42A0F3E05A20ECF41CB0B627EFDDD9A8AC61D787EF97B092F5A10685falsetrue 11241100x80000000000000005500111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005500110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B34F5C9B876EB97F678F983BD0408F09,SHA256=06BF0107CC59C4AE36EF215EC11013782D9C3D6AE7A9E53D795540FD1117E88Efalsetrue 10341000x80000000000000005500109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000005500108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.560{4DF467A6-1238-6139-BCD6-00000000F001}6444ocws.officeapps.live.com0type: 5 prod.ocws1.live.com.akadns.net;type: 5 us2.ocws1.live.com.akadns.net;::ffff:52.109.2.52;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 11241100x80000000000000005500107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 22542200x80000000000000005500106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.112{4DF467A6-1238-6139-BCD6-00000000F001}6444outlook.office365.com0type: 5 outlook.ha.office365.com;::ffff:40.97.84.18;::ffff:40.97.142.34;::ffff:40.97.132.18;::ffff:40.97.205.2;::ffff:40.97.161.50;::ffff:40.97.119.194;::ffff:52.96.119.114;::ffff:40.97.118.162;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 11241100x80000000000000005500105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005500104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF0A26DF5ED20D0973E9E059E8735569,SHA256=FC1BBB5BB1BE730274D7F5348596D84A90AAC5C732F2323D682F86022E86DE21falsetrue 23542300x80000000000000005500103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CDFA0686ABC70BFDB46C391663B0E9,SHA256=BEEF71D32C3EB1E29A940A657487677D5B3B1883F37CBAD5119F5BE2ACCBAFC7falsetrue 10341000x80000000000000005500102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000005500101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.002{4DF467A6-1238-6139-BCD6-00000000F001}6444odc.officeapps.live.com0type: 5 prod.odcsm1.live.com.akadns.net;type: 5 us2.odcsm1.live.com.akadns.net;::ffff:52.109.2.1;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005500100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005500099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005500098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6DF6F3766A5DD7762ECD7BDFA887ADB3,SHA256=3708DFC0BD806BA31170BDA57AA9D9D1AB4FEA46230BED6A243DC13469425058falsetrue 22542200x80000000000000005500097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.678{4DF467A6-1238-6139-BCD6-00000000F001}6444login.windows.net0type: 5 a.privatelink.msidentity.com;type: 5 prda.aadg.msidentity.com;type: 5 www.tm.a.prd.aadg.akadns.net;::ffff:40.126.29.13;::ffff:40.126.29.12;::ffff:40.126.29.14;::ffff:40.126.29.5;::ffff:40.126.29.11;::ffff:40.126.29.15;::ffff:40.126.29.8;::ffff:40.126.29.6;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 11241100x80000000000000005500096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005500095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9B3C35E2EBC2F501ACB7C1CC8690435B,SHA256=3E0E0B6B4BE2849FADBB3E697AB934BE0C453EA4E59507BA414F7639176E4E11falsetrue 10341000x80000000000000005500094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.941{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.910{4DF467A6-1238-6139-BCD6-00000000F001}64446520C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-4448-6132-F305-00000000F001}4552C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52cbf|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52c5a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52bd6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+5259d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+7cc7f|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1e87dc|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005500092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.879{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-US2021-09-08 15:57:53.819 23542300x80000000000000005500091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.879{4DF467A6-1238-6139-BCD6-00000000F001}6444ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-USMD5=D751713988987E9331980363E24189CE,SHA256=4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945falsetrue 11241100x80000000000000005500090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.769{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-US2021-09-08 15:57:53.819 23542300x80000000000000005500089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.769{4DF467A6-1238-6139-BCD6-00000000F001}6444ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-USMD5=D751713988987E9331980363E24189CE,SHA256=4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945falsetrue 11241100x80000000000000005500088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.769{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-US2021-09-08 15:57:53.819 23542300x80000000000000005500087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.769{4DF467A6-1238-6139-BCD6-00000000F001}6444ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-USMD5=D751713988987E9331980363E24189CE,SHA256=4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945falsetrue 11241100x80000000000000005500086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.769{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-US2021-09-08 15:57:53.819 23542300x80000000000000005500085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.769{4DF467A6-1238-6139-BCD6-00000000F001}6444ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\MruServiceCache\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Word\Places_en-USMD5=D751713988987E9331980363E24189CE,SHA256=4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945falsetrue 734700x80000000000000005500084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.691{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msimg32.dll10.0.14393.0 (rs1_release.160715-1616)GDIEXT Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationgdiextMD5=78DA58DF85F86CA61E5EAFB9EF0A83BE,SHA256=3216205F5C355D582EC4B902651B62E1FF3EFFDCA40BC849D474F13F1325E962trueMicrosoft WindowsValid 12241200x80000000000000005500083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.738{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.691{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\GFX.DLL16.0.13801.20442Microsoft Office GraphicsMicrosoft OfficeMicrosoft CorporationGFX.DLLMD5=67A8185AAF7674010FB3D3F4BF71B3A7,SHA256=3017C9E5F1B0107444C560FF931BEB019E96AFC49D33F131B1BD0D3AF5B53614trueMicrosoft CorporationValid 12241200x80000000000000005500056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.723{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 354300x80000000000000005500033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.050{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56013- 354300x80000000000000005500032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.606{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49823-false52.109.2.52-443https 10341000x80000000000000005500031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.707{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.707{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.605{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49824-false52.109.2.52-443https 10341000x80000000000000005500028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.707{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.707{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.584{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-56303-false127.0.0.1-53domain 354300x80000000000000005500025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.581{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56303- 354300x80000000000000005500024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.581{4DF467A6-3F48-6132-1400-00000000F001}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98f0:2322:29b:ffff-56303-true7f00:1:0:0:0:0:0:0-53domain 354300x80000000000000005500023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.557{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56303- 354300x80000000000000005500022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.134{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59731- 354300x80000000000000005500021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.024{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local51827- 354300x80000000000000005500020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.700{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57870- 12241200x80000000000000005500019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.691{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.644{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=ACF31D492FD578C0374EB20CC393BE98,SHA256=D49ECA60A94B30DB87CDCEB36F284D273E080E8689E4B0F99D5BD44FFD117A92trueMicrosoft WindowsValid 12241200x80000000000000005500017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 354300x80000000000000001551292Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:45.822{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551291Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:52.385{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1615173E102196F53A2B678039F98B4,SHA256=95921F723D8AB929997230494CBAA4C3FAAB59E2F8A568B368AA291481B8587C,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005500000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005499992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005499991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:52.644{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeWordBinary Data 13241300x80000000000000005499990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:52.644{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastSyncTimeWordBinary Data 11241100x80000000000000005499989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.629{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-08 15:58:12.555 11241100x80000000000000005499988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.629{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-08 15:57:54.225 11241100x80000000000000005499987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.629{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-08 15:57:54.225 11241100x80000000000000005499986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.613{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-08 15:57:53.678 11241100x80000000000000005499985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.613{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-08 15:57:53.678 11241100x80000000000000005499984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.613{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-08 15:57:53.428 11241100x80000000000000005499983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.613{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000005499982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.597{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000005499981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.597{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000005499980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.597{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000005499979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.597{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000005499978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.597{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000005499977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.597{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.597{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=EEE0538C4621650AAF183B6402A6612B,SHA256=1F3F5584AE09D4B64CBDD58CD16E93F7F863D65B08800426D5917687A1ED4CA9falsetrue 10341000x80000000000000005499975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=C207AD3B2B848845DE00E5B24A2CE3B0,SHA256=BD1D87893C7AD945354375B7BC199D5D523AF70E2376B07D18DD09CD1F4803C0falsetrue 10341000x80000000000000005499973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=F254F22CC0D66D2336953EC81A2C5882,SHA256=134DC82ACF90237A04D09F1A038B65A71BE988257983F1F8D6BCB2DAC38AD17Cfalsetrue 10341000x80000000000000005499971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=9BF87145CDF89BE4E5616A13DC37D214,SHA256=2AA994A1B0D2FD2B15464F1EBF5DA8D8305F9BDA603995728859B54F10305D7Cfalsetrue 10341000x80000000000000005499969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=7367395449966B3BCF83A6736FBD4E35,SHA256=3F132183EEE92228426B6F4B60317A42C17FB6EEF595783B6531A45FA0626C51falsetrue 10341000x80000000000000005499967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=C79B06CBF1517B2435D79B1668596C5F,SHA256=C22DBA99FD363870B1A5AB2EAD24E7776A6290D7F3E4C01C808501330D28A389falsetrue 10341000x80000000000000005499965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.582{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=CC352DB22048C1BB3E551A99AC900979,SHA256=D62BB24D1DF2DC3311097EA77E627E1D4676AA3B646D9E7F52B2FC9D1CE200E4falsetrue 10341000x80000000000000005499963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.566{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.566{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=21027443E11B7F605B90454AC42C17D0,SHA256=652F9906371C3F627FEDB710A4E01D9B12A146FEAA0475803AD6944B2ECAB915falsetrue 10341000x80000000000000005499961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.566{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.566{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=2A4CC38C3BBD404A5707D5AE4F560423,SHA256=4A314ECFDCD765613FF91566C4D89CDC42441BE1ED721AF220C11130171FBA4Bfalsetrue 10341000x80000000000000005499959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.566{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.566{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=9BE86E13F4BB0F796229F38140B2CFE2,SHA256=70DAE84F005B1AFDCA117D784254153B119844C202CB484CC20D96C11C196C6Cfalsetrue 10341000x80000000000000005499957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.551{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.551{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=59F1EAB52D0BB922227676A4246EA874,SHA256=DD79F0A352F9EFFA9FA30DE5435AA5E6DEAE16B4F4F35D512D0C6721566B9D64falsetrue 10341000x80000000000000005499955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.551{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.551{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\L9SWZBK3.cookieMD5=F7BB62A9D9B80DA3E93909B79BC77D9F,SHA256=36B8CEC61A44867ED4155DA0FC155D5CCAB3E448C7E42651988DBAA84883523Cfalsetrue 11241100x80000000000000005499953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.551{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\G4PXHSLQ.cookie2021-09-08 19:42:52.551 12241200x80000000000000005499952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.457{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common 13241300x80000000000000005499951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:52.457{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\ManualTakStatusDWORD (0x00000021) 13241300x80000000000000005499950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:52.457{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\LastFetchDetailDWORD (0x0000001b) 534500x80000000000000005499949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.457{4DF467A6-1237-6139-BAD6-00000000F001}3652C:\Windows\System32\dllhost.exe 734700x80000000000000005499948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.316{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\concrt140.dll14.27.29114.0 built by: vcwrkspcMicrosoft® Concurrency Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationconcrt140.dllMD5=C53C05B2B2A75D0FF56CB936DFD4E4A5,SHA256=C89C55575DEE5CDE8DC1FB67DF8EB293C4AE0BB0B7C0354D333807DE08D45D04trueMicrosoft CorporationValid 734700x80000000000000005499947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.316{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\httpapi.dll10.0.14393.1532 (rs1_release_d.170711-1840)HTTP Protocol Stack APIMicrosoft® Windows® Operating SystemMicrosoft Corporationhttpapi.dllMD5=03DBC6A3E615C17C08BF96C999A0C8EE,SHA256=E5D2CAB8D8F3EDDF0E7895E9D585FC89AF6A93954944071CA1B235FA8AF8DD4BtrueMicrosoft WindowsValid 734700x80000000000000005499946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.316{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll2.8.0A Microsoft project for cloud-based client-server communication in native code using a modern asynchronous C++ API designC++ REST SDKMicrosoftTARGET_NAME.dllMD5=A916D562344A19E7FD0346390AC95A0C,SHA256=F226271CDC17F336239AB3903C09D4ADDCCD0421395EE9F51A79A4027BF6E345trueMicrosoft CorporationValid 11241100x80000000000000005499945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005499944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.301{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CBEFB7C63D3ED7D79F8622D220ECB135,SHA256=8CEA7D75E72E95C624BD2618B5E39B657C376945D8E70BD52015910CD32C60CEfalsetrue 11241100x80000000000000005499943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.285{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-08 15:57:54.225 11241100x80000000000000005499942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.285{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-08 15:57:54.225 11241100x80000000000000005499941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.285{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-08 15:57:53.678 11241100x80000000000000005499940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.269{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-08 15:57:53.678 11241100x80000000000000005499939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.269{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-08 15:57:53.428 11241100x80000000000000005499938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.269{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000005499937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005499936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6F2E7CEB0E8A1E6189F5C3505184D2,SHA256=23FF4F24ECE5CD92870740349EEA9918D08FD6E81F04857FE6F77C715ACC772Ffalsetrue 11241100x80000000000000005499935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.269{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000005499934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.254{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000005499933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.254{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000005499932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.254{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000005499931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.254{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000005499930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.254{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.254{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=1208CD8D64D8701C0B56F7BCF0211030,SHA256=B5A29350DEF4A7CC27B72EA56B4C63EEB6FD0725E2CC5729B622996F2969A6EEfalsetrue 10341000x80000000000000005499928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=EB454CF53532015F8A80B418940E1980,SHA256=C2C71A4F425676D9611CCA7C1659B52EBA6D1DC5325D250535F4657D51585CCEfalsetrue 10341000x80000000000000005499926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=7F26DF259D1859A128AAB23AF4B3561B,SHA256=19F4464C6C57B3E77C1FF871EE935D3F75B28C509B0B10875F6ED153B139FCABfalsetrue 10341000x80000000000000005499924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=727EC545CC4BCC972BE6DA9C27225D25,SHA256=94D02A604137818CB8D85ABCAB78B1E279C102AF199C11BFE35F1A945BA5A3E0falsetrue 10341000x80000000000000005499922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551290Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:52.222{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF66589310025C523F6772A4DB55759,SHA256=82D2471F4A80DD441C4476897EFD99313DC04799681DA237AE573B47359FDE54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005499921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=3F5A7F0F45849BBCE4C855E7B2E831BD,SHA256=59B344B1945E77C72D3C3A513A1E2F54ECBF558C8D32BC28B57B53A01199DC2Bfalsetrue 10341000x80000000000000005499920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=E958C8AAEC5EEF77CCD17177E4653EBD,SHA256=B41FD4921C7B78DD2D6CDED2FB1ABCE3EDFF6AA1940280F0773F234716CB3870falsetrue 10341000x80000000000000005499918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.238{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=7670DB89A41F9EE47BE513F32C352711,SHA256=00A3A598FA15A2360301BA4F490E97FC89670BE4416270563EBA6C32C368FF5Ffalsetrue 10341000x80000000000000005499916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.222{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.222{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=AB5100A2803498E36F4A5DF2AF4684E6,SHA256=576F6AEBEAC7890CA977D9868AD4784902FC04883405EF826BDE1636C3C16445falsetrue 10341000x80000000000000005499914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.222{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.222{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=401DFEF519D8D87DE706D3C32DAD953A,SHA256=0A56962409204625AC8526810AAE980424F0C5CE1B5933B5650F1EAFAD63D825falsetrue 10341000x80000000000000005499912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.222{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.222{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=094EFEFBF248EDAA6858B403600431C1,SHA256=6C37BD9B3EA9ED97019C28B62537B89EA4317C3D0ECA7A906464F34650A0964Ffalsetrue 10341000x80000000000000005499910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.222{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.222{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=9D90EF0F210F12D2EAB3ED776D32D6FA,SHA256=FEC9690C6CFF5BE7F804102FB4E66B01E6778C53D4049A65950F04867B300F6Afalsetrue 10341000x80000000000000005499908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.207{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005499907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.207{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\996MABNW.cookieMD5=97B58B60E978610B680C15A9B9F370F1,SHA256=EDBD6D9A3913DAE954C5156AD39B720EE17BDBD5957BF1EAA2AAA669B3739138falsetrue 11241100x80000000000000005499906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.207{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\L9SWZBK3.cookie2021-09-08 19:42:52.207 11241100x80000000000000005499905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005499904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=95E07BB9176BC2B4B59B678786FC5F51,SHA256=BF27C6D2B4BB21D6BF041954BC57095E1BD1DE71B6ACE71B72B70FC9E39B5524falsetrue 11241100x80000000000000005499903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.113{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005499902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.113{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5171B09153FC64CA31BDDFFC3C43270B,SHA256=5F2AE79B19ABFF03FAE9EC9A4B33AB23ECF8962137F310975DC1F6BB41DC850Dfalsetrue 10341000x80000000000000005499901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.113{4DF467A6-123B-6139-BED6-00000000F001}57407612C:\Windows\system32\sppsvc.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+7eaa8|C:\Windows\system32\sppsvc.exe+748f0|C:\Windows\system32\sppsvc.exe+957de|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x80000000000000005499900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.113{4DF467A6-123B-6139-BED6-00000000F001}57407612C:\Windows\system32\sppsvc.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+74a0a|C:\Windows\system32\sppsvc.exe+95791|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005499899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.098{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005499898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.098{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3A5FB4512B28790C278E68F953C9CEF7,SHA256=B2A8477EABA1697BE5D5B7A85413AC49A587D580D9D57C6538374D5D746266CAfalsetrue 11241100x80000000000000005499897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005499896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B1FB5643BE3FC681950686EDE8FA32,SHA256=8EFC71711A745AD3FB665F0FC73C043278E521271CCE890BB3CDEACEE267149Afalsetrue 11241100x80000000000000005499895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005499894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BDB3B9D86BE7D2104B9815457C2A6273,SHA256=4F5061BCF0B5F7A307C6E8CA0286D812645B55D101DE8AC7FBB2D6503059917Ffalsetrue 11241100x80000000000000005499893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.035{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-08 15:57:54.225 734700x80000000000000005499892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.019{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppobjs.dll10.0.14393.4583 (rs1_release.210730-1850)Software Protection Platform PluginsMicrosoft® Windows® Operating SystemMicrosoft Corporationsppobjs.dllMD5=70045B78DCFD4DE800A61A51E60D83DC,SHA256=557A2F2C1F6E766E3CBE8A6E91F7614717848B754242097E820C32EED148A530trueMicrosoft WindowsValid 12241200x80000000000000005499891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005499868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.019{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-08 15:57:54.225 11241100x80000000000000005499867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.019{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-08 15:57:53.678 11241100x80000000000000005499866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.019{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-08 15:57:53.678 734700x80000000000000005499865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.019{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 12241200x80000000000000005499864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005499863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.019{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-08 15:57:53.428 11241100x80000000000000005499862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.004{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 734700x80000000000000005499861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\Clipc.dll10.0.14393.0 (rs1_release.160715-1616)Client Licensing Platform ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationClipC.dllMD5=C1ADE6C578AFD608EBC63BEB0F85ABD7,SHA256=7195914FD6FF035601607636E8EEFC58074852FD9983DB4A7E9DFEAEFA3D8382trueMicrosoft WindowsValid 12241200x80000000000000005499860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005499837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.004{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 12241200x80000000000000005499836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7trueMicrosoft WindowsValid 12241200x80000000000000005499834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005499811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.004{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 12241200x80000000000000005499810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005499809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppwinob.dll10.0.14393.4530 (rs1_release.210705-0736)Software Protection Platform Windows PluginMicrosoft® Windows® Operating SystemMicrosoft Corporationsppwinob.dllMD5=131DCFFFD0F2560BCD89F6ECBCC8A2D1,SHA256=5FB678235EC5BB4417B9D69AD7095A6C13AC1C008FA2647BE09205434E57AA4AtrueMicrosoft WindowsValid 12241200x80000000000000005499808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005499807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005499806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005499805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005499803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005499789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005499788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005499787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005499786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:52.004{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005499785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:52.004{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000005499784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 12241200x80000000000000005499783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:51.988{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005499782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:51.988{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 22542200x80000000000000005500451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.134{4DF467A6-1238-6139-BCD6-00000000F001}6444ols.officeapps.live.com0type: 5 prod.ols.live.com.akadns.net;::ffff:52.109.16.1;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005500450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.972{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000005500449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.128{4DF467A6-3F58-6132-2B00-00000000F001}294852.2.109.52.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000005500448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.096{4DF467A6-3F58-6132-2B00-00000000F001}294813.29.126.40.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000005500447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.087{4DF467A6-3F58-6132-2B00-00000000F001}294818.84.97.40.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000005500446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.084{4DF467A6-3F58-6132-2B00-00000000F001}294834.166.96.52.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000005500445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.068{4DF467A6-3F58-6132-2B00-00000000F001}294896.72.60.23.in-addr.arpa.0type: 12 a23-60-72-96.deploy.static.akamaitechnologies.com;C:\Windows\sysmon64.exe 22542200x80000000000000005500444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.832{4DF467A6-1238-6139-BCD6-00000000F001}6444clients.config.office.net0type: 5 geo.clients.config.office.akadns.net;type: 5 amr.clients.config.office.akadns.net;::ffff:13.83.56.107;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005500443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.972{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000005500442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.785{4DF467A6-1238-6139-BCD6-00000000F001}6444roaming.officeapps.live.com0type: 5 prod.roaming1.live.com.akadns.net;type: 5 us2.roaming1.live.com.akadns.net;::ffff:52.109.20.16;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005500441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.972{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000005500440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.663{4DF467A6-1238-6139-BCD6-00000000F001}6444nam10.dataservice.protection.outlook.com0::ffff:104.47.55.16;::ffff:104.47.70.16;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005500439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.972{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000005500438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.519{4DF467A6-1238-6139-BCD6-00000000F001}6444substrate.office.com0type: 5 outlook.ha.office365.com;::ffff:40.97.142.34;::ffff:40.97.132.18;::ffff:40.97.205.2;::ffff:40.97.161.50;::ffff:40.97.119.194;::ffff:52.96.119.114;::ffff:40.97.118.162;::ffff:40.97.84.18;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005500437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.972{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000005500436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.085{4DF467A6-1238-6139-BCD6-00000000F001}6444dataservice.protection.outlook.com0::ffff:104.47.35.22;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005500435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.972{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.879{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005500433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.879{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005500432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.879{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005500431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.879{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005500430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.879{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005500429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.879{4DF467A6-4448-6132-F505-00000000F001}50647056C:\Windows\system32\sihost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.701{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49828-false104.47.55.16-443https 10341000x80000000000000005500427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.754{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.754{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.629{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49827-false10.0.1.12-8000- 354300x80000000000000005500424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.628{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62580- 354300x80000000000000005500423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.606{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local62580- 354300x80000000000000005500422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.542{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local59594- 354300x80000000000000005500421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.187{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49825-false104.47.35.22-443https 10341000x80000000000000005500420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.754{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.754{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.722{4DF467A6-3F47-6132-0C00-00000000F001}8362128C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005500417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.722{4DF467A6-3F47-6132-0C00-00000000F001}8362128C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000005500416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.722{4DF467A6-3F47-6132-0C00-00000000F001}8362128C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 11241100x80000000000000005500415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005500414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.691{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8487BA5F3F6AB4890FF2F0DE53AC1D8E,SHA256=1FE9EB4D81C27C4CBF1A6C952426C52185CFFCB208C6209311ECEBA495A04253falsetrue 11241100x80000000000000005500413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.582{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171B81DEC0EB75F2E29D870E268D53EE,SHA256=19FB05EF525FD52DEEEE195515FDDAAC3A7D905A8E439040137711451A1416B7falsetrue 11241100x80000000000000005500411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.535{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA6F93D127348C16A450836765277F6,SHA256=4E5C4137CA80CE7F37C56FE56E1066131F122433A2DEAED8060891C188D196CFfalsetrue 354300x80000000000000005500409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.604{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49822-false52.109.2.52-443https 10341000x80000000000000005500408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.147{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49821-false40.97.84.18-443https 10341000x80000000000000005500405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:38.055{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49820-false52.109.2.1-443https 10341000x80000000000000005500402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.752{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49819-false40.126.29.13-443https 10341000x80000000000000005500399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.683{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49818-false52.96.166.34-443https 10341000x80000000000000005500396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.679{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49817-false52.96.166.34-443https 10341000x80000000000000005500393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:37.671{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49816-false23.60.72.96a23-60-72-96.deploy.static.akamaitechnologies.com443https 10341000x80000000000000005500390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.488{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005500388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.316{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 12241200x80000000000000005500387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.316{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\certca.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Microsoft® Active Directory Certificate Services CAMicrosoft® Windows® Operating SystemMicrosoft CorporationCertCaMD5=8F23364460E12C9A157F88B9B4A86F2E,SHA256=51B5550668D6420C5DA988FEF83564DD9B4E911866EF4FC80748C8B219789F23trueMicrosoft WindowsValid 12241200x80000000000000005500360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.347{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005500336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:53.347{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005500335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:53.347{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 12241200x80000000000000005500334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.301{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\CertEnroll.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Active Directory Certificate Services Enrollment ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationCertEnrollMD5=20ADB479CDAFBDFB60D8D6E0AD7D6588,SHA256=C1C86EE623A9BCA85CE4D6AD7DA9F75C18E62DA2341219FCF45A73FD0CF5123BtrueMicrosoft WindowsValid 12241200x80000000000000005500331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.332{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.316{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 12241200x80000000000000005500306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.301{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.301{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.207{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\biwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Broker InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationbiwinrt.dllMD5=1774BAC67716351387E5F11635DEED8D,SHA256=74F9B4190CFFADCE3ED3F61D4FD6A4F7CCC6EE0F42E3452D018E8160ECB3BE1FtrueMicrosoft WindowsValid 12241200x80000000000000005500303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.HostName.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Networking.HostName DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.HostName.dllMD5=8DF028D66876592B54CEF5631E727C2E,SHA256=C16C85F3D505EDE6F2566DF7140171F5AB4A71DDDEEDC653D846D3954AA8E99AtrueMicrosoft WindowsValid 12241200x80000000000000005500276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.Connectivity.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Networking Connectivity Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.Connectivity.dllMD5=7934F613774F04B5BFD097B3D77F81FB,SHA256=E1A32AADFED0859269C89D4E1C961D3BC8EA2A5FA86487C9817BB52899E0F60EtrueMicrosoft WindowsValid 12241200x80000000000000005500249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Networking DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.dllMD5=79801C7A91F51A659B0BBA4E80FFFA6B,SHA256=A261D0F4572FAE532461712C90129E14682B09FA651742DBD856F28430586CA7trueMicrosoft WindowsValid 12241200x80000000000000005500222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.222{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.144{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL10.0.17763.1 (WinBuild.160101.0800)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationDBGHELP.DLLMD5=3AD4BA5FD42E006E38D60AC93FD882E1,SHA256=502593C125B3DCF31D4565FCA6CF49E75233E1D6F3A7DEF2E2E2431E2501D349trueMicrosoft CorporationValid 12241200x80000000000000005500195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.207{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\fwbase.dll10.0.14393.0 (rs1_release.160715-1616)Firewall Base DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfwbase.dllMD5=216C0DC7BEBD19C616A7BCE54F57F70C,SHA256=2305E780D161A736DB237727AC78EC1D2462793FD5013D126621B4BBBB16D743trueMicrosoft WindowsValid 734700x80000000000000005500170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.129{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\v8jsi.dll0.63.1.8_5_210_20React Native V8 JSI AdapterReact Native V8 JSI AdapterMicrosoftv8jsi.dllMD5=A0BC9DBA90FC6D10B7618702FB67EC58,SHA256=2A6EBAA66D27F565E4008619D680DF1F2F13E77C2155F658B29F841B9D49AE51trueMicrosoft CorporationValid 12241200x80000000000000005500169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.207{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005500146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.207{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\FirewallAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Firewall APIMicrosoft® Windows® Operating SystemMicrosoft CorporationFirewallAPI.DLLMD5=C7DD193AFCCF63B97C559993608EDAF0,SHA256=26E7628E9C65352F730F38D7BF32A845CC1CAEEC034152B1CDE85F9B89D1A6DCtrueMicrosoft WindowsValid 734700x80000000000000005500145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.160{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1CtrueMicrosoft WindowsValid 734700x80000000000000005500144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.129{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87trueMicrosoft WindowsValid 12241200x80000000000000005500143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.019{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll0.62.22React-Native-WindowsReact-Native-WindowsMicrosoftreact-native-win32.dllMD5=398277435FAC13143749320A60428DC8,SHA256=0576D3C166CF04F52BA9913A75FF14D77AF755D5285D7E7D64550BA432DBA932trueMicrosoft CorporationValid 12241200x80000000000000005500141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000005500118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:53.097{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000180538\VirtualDesktopBinary Data 12241200x80000000000000005500117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.097{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000180538 11241100x80000000000000005500116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005500115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:53.051{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=77203421893DA1521A45A823EA391EF2,SHA256=F8D8862B2CC53DC35DD12D6618FB989E262976B9034AB9CC681347A0CF181E0Afalsetrue 12241200x80000000000000005500114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:53.019{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 23542300x80000000000000001551293Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:53.387{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8800169B976CFCBF1944269E65DD5D4E,SHA256=7C8D8E64E8155B6D1F5F32B70A8FEC4207F9938257B22CEB296CA5D76025E5C3,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000005500466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.693{4DF467A6-1238-6139-BCD6-00000000F001}6444augloop.office.com0type: 5 augloop-prod.trafficmanager.net;type: 5 augloop-prod-001.westus.cloudapp.azure.com;::ffff:52.111.245.5;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005500465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:54.988{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005500464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:54.863{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:54.863{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9BB58C4951E0A4AB028E3A250FC0D3,SHA256=805EB90D1150B046E26A81033CC9F209F8E1EBC0F7078923193B4695727EC5DCfalsetrue 354300x80000000000000005500462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.067{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63269- 354300x80000000000000005500461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.066{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50866- 354300x80000000000000005500460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.066{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local56893- 354300x80000000000000005500459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.066{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local65089- 354300x80000000000000005500458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.556{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49826-false40.97.142.34-443https 10341000x80000000000000005500457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:54.551{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:54.551{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005500455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:54.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005500454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:54.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDE4F620E2A9A6180CD6BB6410CA5416,SHA256=351447CD9CCBDFC9A638A55B6FA853A1BAE63CBABD6BD56B239DDEE79875B190falsetrue 11241100x80000000000000005500453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:54.176{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234BF5406E3BFA05BDF8ED156EE7613E,SHA256=0E113CCB9D621422A17A421997C8AB7D8294DE194AD6E3A8E94551B6EC341F59falsetrue 23542300x80000000000000001551294Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:54.389{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76E996D0A805B9D696519CB30DB9CB1,SHA256=4B809588418099D3B730F210C4C35AB328D1358168459DD0EC594D58E85EA0D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005500534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E573456BE79E3222DB7C6428F659B0,SHA256=B79A465507B29A7FFFB6D09560932B525530C3A81D5C8E026D5019A1A64B9069falsetrue 354300x80000000000000005500532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.715{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61396- 354300x80000000000000005500531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.156{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local63474- 354300x80000000000000005500530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.097{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65089- 354300x80000000000000005500529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.097{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63269- 354300x80000000000000005500528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.097{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60244- 354300x80000000000000005500527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.097{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50866- 354300x80000000000000005500526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.068{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60244- 11241100x80000000000000005500525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.738{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005500524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.738{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD26283391C5EE67CB7E0949F26AC4C7,SHA256=659261C41D5F43AE7E58C9643D351152A28584D1219D48408ABCB019E261A836falsetrue 13241300x80000000000000005500523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:55.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\WEF\LastUpdate\Word\CorpCatalogRecheckTimeTimeStamp55 42 19 8 8 121 3 250 0 00 354300x80000000000000005500522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.876{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49830-false13.83.56.107-443https 10341000x80000000000000005500521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.597{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.597{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:39.859{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49829-false52.109.20.16-443https 10341000x80000000000000005500518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.597{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.597{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005500516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.535{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A22021-09-08 15:58:12.555 11241100x80000000000000005500515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.519{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68E2021-09-08 15:57:54.225 11241100x80000000000000005500514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.519{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376D2021-09-08 15:57:54.225 11241100x80000000000000005500513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.519{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585B2021-09-08 15:57:53.678 11241100x80000000000000005500512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.504{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE602021-09-08 15:57:53.678 11241100x80000000000000005500511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.504{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BD2021-09-08 15:57:53.428 11241100x80000000000000005500510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.504{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBB2021-09-08 15:57:52.975 11241100x80000000000000005500509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.504{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE32021-09-08 15:57:52.975 11241100x80000000000000005500508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.488{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF82422021-09-08 15:57:52.710 11241100x80000000000000005500507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.488{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C32021-09-08 15:57:52.710 11241100x80000000000000005500506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.488{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF42021-09-08 15:57:52.694 11241100x80000000000000005500505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.488{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA80572021-09-08 15:57:52.694 10341000x80000000000000005500504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.488{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.488{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\276CA6A1B50F2A6D99975542DEB806A2MD5=3897E956CB56100FAF8F8DECD9A6C4E1,SHA256=0F5BA71700FB4D67137C72212F40D9AB2AB28286EA28487EE7560F3844CEF086falsetrue 10341000x80000000000000005500502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\2E0688AA49358DBA0C38529E0073F68EMD5=91351E7ABC82379A3835F185C2F04FC8,SHA256=8C3B3F6C808B07E43B25355148EB5594CD1F38C950E81647831C3C1DC7AF7B82falsetrue 10341000x80000000000000005500500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\DE8D3F8D6928320F9B3D40818973376DMD5=9849F618E629B37A2B430DFD9C384377,SHA256=8B4337578868BE2C766B359990983872D4DC01C1A6D610448AE82BE3BC65E435falsetrue 10341000x80000000000000005500498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\50E9827D6ABD6AD6128263FC11F5585BMD5=BA8DC99760B4F73C09D9BC4F2999CE5B,SHA256=C2F39999B908DDA008D2B582247F1E5AAE09C6D4DBE733760066EDD9620D3EEAfalsetrue 10341000x80000000000000005500496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\E08C85A1628613EC3DDAA9009D84AE60MD5=0D2CE9512D5432D0E6247BE34FF4FC6E,SHA256=8BCC0CE1B3878256C9888D36651BF9FB69AD82B70DC237CCF09592D1412ABBCEfalsetrue 10341000x80000000000000005500494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\06E77BA2AFD19415DCCD47B619B236BDMD5=5152623890574A712A988F3FFF8B62A7,SHA256=E8519A732922D1018115B88A58DD6BC0DD889EDE9E625A2080FE9E6264963AC2falsetrue 10341000x80000000000000005500492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.472{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\D2325BD2B73BEC8371D498E313E99DBBMD5=DD87DA38CB9C1E384B4C697FCD8DA7BF,SHA256=4979BB666238DD42A86B609BE72750181A223B58ADCB2F71A19EEF5176556837falsetrue 10341000x80000000000000005500490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.457{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.457{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\AE8AC12B059FC12BC993D44775532FE3MD5=4B3484B4E86DECDB28941034605FC804,SHA256=36CE5946113128F53894C82C9A7D2E4816405CCDFB9D3D552B3C322E097F2435falsetrue 10341000x80000000000000005500488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.457{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.457{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\C7587E62033F954AABD4D1069CDF8242MD5=1886347D2BA1141DFE7B7F7E43EBEA17,SHA256=5736C0242B3D380BBE87F44520F601ADC4339D396A5F8DED047F956CC828B585falsetrue 10341000x80000000000000005500486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.457{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.457{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\11420D9674230CDD500D49A5C8EB73C3MD5=62E15D5D31D78B09712EAABA37DA7D4F,SHA256=9516728A8ED48B4A710B801FCD1AEC4479EE025F08BC0C29CAFC95C296FFFF92falsetrue 10341000x80000000000000005500484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.441{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.441{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\19327C7415E3C87C9469A39F209FBEF4MD5=C93762BF295C694B53AE1F755774A82A,SHA256=F3C6702537A8DCD273C2BBEAE801E8A583697E66D69EE977816D55DA59B3E7DEfalsetrue 10341000x80000000000000005500482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.441{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.441{4DF467A6-3F46-6132-0B00-00000000F001}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Credentials\9DA9D0B857DD035C7DE5CD6CC4AA8057MD5=262B804B3808D383B016E6EDD7B85EAC,SHA256=02EA8A1FFF3B8CAC7B013B04AE567068B4847030ACAE0C1CA80F58642F08F328falsetrue 10341000x80000000000000005500480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.441{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+4e83f|C:\Windows\system32\lsasrv.dll+4e2bf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000005500479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.441{4DF467A6-4448-6132-F805-00000000F001}3292ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\G4PXHSLQ.cookieMD5=B772499A5751536684B0AF93EBAB2D9B,SHA256=2DC2D281F7A2C4D9F2B9DA73CE6BE1188C477C39C746A3618CA81AD146403B6Afalsetrue 11241100x80000000000000005500478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.441{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\U9YRDK7T.cookie2021-09-08 19:42:55.441 11241100x80000000000000005500477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005500476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EC6F76EFDC4562F80346579D4979F703,SHA256=CD19B76AF6DA15DF429DE6526AD0078DACD7ED18065AFD0CFDFF231117C084DBfalsetrue 11241100x80000000000000005500475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005500474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D4020EEF7C91EA582BE83F15C082D100,SHA256=306952E42207E3C2BAB6811097C53CACC9ACB360DBAAFB38CD8F5324EFDE337Ffalsetrue 13241300x80000000000000005500473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:55.176{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000020066E\VirtualDesktopBinary Data 12241200x80000000000000005500472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:55.176{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000020066E 13241300x80000000000000005500471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:55.113{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005500470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:55.113{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000005500469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.113{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005500468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.035{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shm2021-09-08 19:42:55.035 11241100x80000000000000005500467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:55.035{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal2021-09-08 19:42:55.035 23542300x80000000000000001551295Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:55.392{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BB35DBA9DAE54B9FB48F6895A2D2C0,SHA256=081F81517EBB63159D841F8E2F807FE74DEA5FE8A8A9DD06C131FEF23D82379F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005500549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:42.175{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49540- 354300x80000000000000005500548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:42.144{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49540- 11241100x80000000000000005500547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:56.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:56.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27EBA5A5141BC175926FD83B6E9B9CB8,SHA256=76D9F4266C9DE3EE630531CCE658E0E83A4A5C73374DF01334381C7B6BB00DD1falsetrue 23542300x80000000000000001551296Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:56.412{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920A888D9772704A5443675AC3911216,SHA256=DD63222CDB727EF704853D2DB6829AB2A9073776CCE06D409890E8E4D4084676,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005500545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.738{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49833-false52.111.245.5-443https 10341000x80000000000000005500544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:56.660{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:56.660{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.246{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49832-false52.109.2.52-443https 10341000x80000000000000005500541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:56.660{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:56.660{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:40.227{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49831-false52.109.16.1-443https 10341000x80000000000000005500538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:56.660{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:56.660{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000005500536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:42.262{4DF467A6-3F58-6132-2B00-00000000F001}2948107.56.83.13.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000005500535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:41.102{4DF467A6-3F58-6132-2B00-00000000F001}294816.55.47.104.in-addr.arpa.9003-C:\Windows\sysmon64.exe 23542300x80000000000000001551297Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:57.415{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C097AFA18D51C40FB59C62FC6D9C8CD,SHA256=CA2400EDF4C32F90891B1D3C331EAC87027B027EA4A69A1A6A76E41AC82FBC7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005500563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:44.644{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49834-false10.0.1.12-8000- 11241100x80000000000000005500562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.754{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005500561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.754{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=94EAA7406C972A3D6DF6A572424FB610,SHA256=927996CEDA903BD8C15C5DF7F5B322E0F113425FBC906C066F68CC4F0F7CCE00falsetrue 11241100x80000000000000005500560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005500559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.207{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=49F1795D5A9493B519DFCFE36CDEA1CE,SHA256=6B888F481660FB86E89463CD58B9AEBD9F9D522E0466CFF30A1D9BEF84D2EA0Cfalsetrue 11241100x80000000000000005500558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2C5122837C428F7282E7F7088B3654,SHA256=A3290C303167F7975B38345AE7B4010366C7B328F8F70B3B88331DC454AD4BEAfalsetrue 11241100x80000000000000005500556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000005500555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005500554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC704BA213142B6EFD723AD70D87DB18,SHA256=DAF1A50239DEC695C7E8F1B1EAB92569E36203E95C2E737AB0A53B4D94D4B67Bfalsetrue 23542300x80000000000000005500553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1841D0829A0A554A84E14BD5EFE8567,SHA256=687F6BFDF298441B12743B3B13D8E58BCB14E32F402325FF869E2B592F1ACAECfalsetrue 13241300x80000000000000005500552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:58.129{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005500551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:58.129{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000005500550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.129{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551300Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:58.419{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6DEC18C19F30EFB07B17D3A8CC963A,SHA256=209EF96C92DBCB4260D35F4C8C2A7C2DF65A4BB48466C550A8BBE9E8D133C064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551299Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:58.118{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8082AFB3337733FE4A9AFF538F3A1AFB,SHA256=B3DB1FA4A6C28083BDA1E1612A29BF33CD485E157791E0084E8028B878066B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551298Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:58.117{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F78DB642AB438368E7A8C7C5FBE9F32D,SHA256=9BDEDECB2C458A6BD42C8E6B4595C443ACD6EC629D1E8D27241A6B8B056A642F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005500622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:59.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:59.191{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C666195F3FCE135A5F559CE2AD7DF857,SHA256=792C1611DF5C24B1BE5EF3D77C6847E36B982E30B3DFFE0CCBA3B22E28D94314falsetrue 13241300x80000000000000005500620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:59.082{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000023054E\VirtualDesktopBinary Data 12241200x80000000000000005500619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.082{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000023054E 734700x80000000000000005500618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:59.035{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51trueMicrosoft WindowsValid 12241200x80000000000000005500617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.051{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:59.035{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x80000000000000005500590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:42:59.035{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005500566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:59.019{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005500565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:42:59.019{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000005500564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:59.019{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551302Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:59.421{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BF0D5D4B4A1026E1435109A44B24CF,SHA256=319BF16092A33358FA2663DC16BAA6EAA440CD6D56314A398888272A307FFF3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551301Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:51.714{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551303Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:00.423{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C20DFBB7AA4DC6912D013E5A06D935,SHA256=E7A79A2FE4DA33600EBB9138AD6C0ADB8931790DFBEC3E552A1B3DDD8662B9C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005500676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.332{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.332{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4322F375B33BD67F43B2205698F9150C,SHA256=EB054C7FDAA2CDBAB872CA1BDC7D04B7EE139D2E5F57C2D1F98366249786BAAFfalsetrue 12241200x80000000000000005500674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.176{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000005500673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:00.176{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{031B4925-B329-4B7D-8D6C-AC9A252823B1}\PointsBinary Data 13241300x80000000000000005500672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:00.176{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{031B4925-B329-4B7D-8D6C-AC9A252823B1}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000005500671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:00.176{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems\{031B4925-B329-4B7D-8D6C-AC9A252823B1}\TypeDWORD (0x00000000) 12241200x80000000000000005500670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.176{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8FBF2E10-3003-4313-BDB1-43F8773E028F}\RecentItems 13241300x80000000000000005500669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:00.176{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d7a4e9-0xbaf65aa8) 12241200x80000000000000005500668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.176{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000005500667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.176{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000005500666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.176{4DF467A6-1238-6139-BCD6-00000000F001}64444852C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d4a67|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000005500665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.176{4DF467A6-1238-6139-BCD6-00000000F001}64444852C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+d49d2|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000005500664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.176{4DF467A6-1238-6139-BCD6-00000000F001}64444852C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f 10341000x80000000000000005500663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.176{4DF467A6-1238-6139-BCD6-00000000F001}64444852C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+d49b7|C:\Windows\System32\windows.storage.dll+d4393|C:\Windows\System32\windows.storage.dll+d4219|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466 10341000x80000000000000005500662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.176{4DF467A6-1238-6139-BCD6-00000000F001}64444852C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+6165e|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466 10341000x80000000000000005500661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.176{4DF467A6-1238-6139-BCD6-00000000F001}64444852C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f 10341000x80000000000000005500660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.176{4DF467A6-1238-6139-BCD6-00000000F001}64444852C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+6164c|C:\Windows\System32\windows.storage.dll+d42ec|C:\Windows\System32\windows.storage.dll+d40c8|C:\Windows\System32\windows.storage.dll+4cac5|C:\Windows\System32\windows.storage.dll+4ca0d|C:\Windows\System32\windows.storage.dll+d3b6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466 23542300x80000000000000005500659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.160{4DF467A6-1238-6139-BCD6-00000000F001}6444ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF1aa821f7.TMPMD5=8E4DCE8115B810B7846F93F3A59840D4,SHA256=92D1905E019493066625256F5CDD0937BAFC9EBCEE42B60DA1DDA3CAA8861B03falsetrue 11241100x80000000000000005500658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.160{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF1aa821f7.TMP2021-09-08 19:43:00.160 734700x80000000000000005500657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.160{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 254200x80000000000000005500656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.160{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CAVIOCGG1LIL773V7INV.temp2021-09-08 15:20:54.5192021-09-08 19:43:00.160 11241100x80000000000000005500655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.160{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CAVIOCGG1LIL773V7INV.temp2021-09-08 19:43:00.160 734700x80000000000000005500654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.160{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14trueMicrosoft WindowsValid 18141800x80000000000000005500653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:00.160{4DF467A6-1238-6139-BCD6-00000000F001}6444\srvsvcC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 734700x80000000000000005500652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.160{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2trueMicrosoft WindowsValid 13241300x80000000000000005500651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:00.144{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids\Word.Document.12Binary Data 734700x80000000000000005500650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.129{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42trueMicrosoft WindowsValid 12241200x80000000000000005500649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.144{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:00.129{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:00.129{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValid 23542300x80000000000000001551304Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:01.426{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CB185664521604B12E18F2A44F6B86,SHA256=D3D4273826B7168AD36E6AB1D93B4A276728F9AEC513353E4DB41A061396CF9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005500685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.640{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49835-false104.73.0.39a104-73-0-39.deploy.static.akamaitechnologies.com443https 10341000x80000000000000005500684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:01.926{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:01.926{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000005500682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.630{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local60248- 354300x80000000000000005500681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.630{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local57181- 11241100x80000000000000005500680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:01.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:01.394{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE201DA3D83DC3324F8BA46A46721D09,SHA256=418886AC9880B93E1D84FC454D6444E7D5D20E68F1D157DEC92D9425B646FB0Ffalsetrue 11241100x80000000000000005500678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:01.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005500677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:01.144{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6109B67CE6D3C0C48A38714170949A82,SHA256=54F31B55A0DAC371DFD2CEB69E16292EA31A94CCB827CE1F255D7566A0624590falsetrue 11241100x80000000000000005500696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:02.988{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005500695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:02.988{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E4370B0EBE57EF6B4DBE5BD6E8DD0EB,SHA256=CB1B5B1DD3B20CDC2E2DF00F3647F40C146EB63C4E48AEA9E8FE029D25A5E367falsetrue 354300x80000000000000005500694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.666{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49836-false20.189.173.7-443https 10341000x80000000000000005500693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:02.988{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:02.988{4DF467A6-3F58-6132-2B00-00000000F001}29482312C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005500691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:02.832{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005500690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:02.832{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A49898F8FA245458366B907CC43681CF,SHA256=75AB8C00AD2221C377EE419761806D9CF95A063694BDF54F26245093111C24CCfalsetrue 11241100x80000000000000005500689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:02.410{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:02.410{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37234110311FE4C44DCE4B0857D7F52,SHA256=D230834ACCD3DFDD84ABF0E99A79FF1EBABB504E8EF58ECAD6D3A23C4F3D7BAAfalsetrue 23542300x80000000000000001551305Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:02.429{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354F30137C68A132787EE623B37F2320,SHA256=F9909F1D2ABB429DEF83D8451765528184AA26B69C2B9C9042E1B181EB7E0844,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000005500687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.608{4DF467A6-1238-6139-BCD6-00000000F001}6444cdn.uci.officeapps.live.com0type: 5 cdn.uci.officeapps.live.com.edgekey.net;type: 5 e1324.d.akamaiedge.net;::ffff:104.73.0.39;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005500686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:02.191{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005500924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005500923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E95E9A7E9036835E1AC218F64228866,SHA256=F4C73C49888EB70A610DD10DB15E45762A25B762A294212532778489A771A4F7falsetrue 11241100x80000000000000005500922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.801{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005500921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.801{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAF2FDDC59F436FC2B75EC0E39548AD8,SHA256=181FD4E636853F16B9913E5D6B631DC1362A5054BA573A7BC90E5438329A0A3Dfalsetrue 13241300x80000000000000005500920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.676{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005500919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.676{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000005500918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.676{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005500917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.676{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005500916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.676{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C0566\VirtualDesktopBinary Data 12241200x80000000000000005500915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.676{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000C0566 10341000x80000000000000005500914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.676{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005500913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.676{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66F510FE924E256D628A578211C3812,SHA256=D30F004F5F3AE526C7B0329672212EBC6FAC5DDF832D5D6BFEBBCFB053F123D5falsetrue 734700x80000000000000005500911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.644{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=1B04659F0A22BFE9142B6AD36467ACEA,SHA256=67BC7C19D71FB98A7B5882B0F2BFC8F2E4491B4ACBE23EE545D54FFCAEC808E9trueMicrosoft WindowsValid 12241200x80000000000000005500910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.660{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.629{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBEUIINTL.DLL7.1.16.13801Microsoft Visual Basic for Applications componentMicrosoft Visual Basic for ApplicationsMicrosoft CorporationVbeuiIntl.dllMD5=645F7837FC9038516CE51EC98CBA8D0F,SHA256=53C81C5C73F4D24E3F33921149D18281C292A7A150BA111122ECA46FE60445ECtrueMicrosoft CorporationValid 12241200x80000000000000005500883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.644{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUIRES.DLL7.1.16.8326Microsoft Visual Basic for Applications componentMicrosoft Visual Basic for ApplicationsMicrosoft CorporationVbeuiRes.DLLMD5=7C900B160E1CE4C4916774009E8B35F7,SHA256=A75301E30F4A5F5CEB0259D334BF78C43E30B66A55964CF2C5A1E0FE400730E4trueMicrosoft CorporationValid 12241200x80000000000000005500858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 354300x80000000000000001551309Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:42:56.828{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61746-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551308Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:03.433{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A65D803AC633FD3688EC39CAAF2976,SHA256=8028B26D0811D2F7D6BACAA5B96C4D558F99C9D9C8F202D6AFCFE6E436E019BF,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005500841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000005500835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.629{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B0566\VirtualDesktopBinary Data 12241200x80000000000000005500834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.629{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B0566 13241300x80000000000000005500833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400100000000F01FEC\Usage\VBAFilesIntl_1033DWORD (0x53280001) 13241300x80000000000000005500832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400100000000F01FEC\Usage\(Default)Binary Data 12241200x80000000000000005500831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400100000000F01FEC\Usage 12241200x80000000000000005500830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400100000000F01FEC 12241200x80000000000000005500829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products 12241200x80000000000000005500828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18 12241200x80000000000000005500827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData 12241200x80000000000000005500826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer 12241200x80000000000000005500825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion 12241200x80000000000000005500824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows 12241200x80000000000000005500823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft 12241200x80000000000000005500822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software 12241200x80000000000000005500821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE 12241200x80000000000000005500820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY 12241200x80000000000000005500819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.613{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005500818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.566{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005500817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.566{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000005500816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.566{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005500815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.551{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\VBE2021-09-08 19:43:03.551 734700x80000000000000005500814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.519{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL7.01.1091Visual Basic Environment International ResourcesVisual Basic EnvironmentMicrosoft Corporation-MD5=CDA3EA478C604783B76964E88FD7030D,SHA256=DEBCD9E5DA29B2675C95055DBC342B74369BB5ED34ED5BAFC0738F470D5B4E69trueMicrosoft CorporationValid 12241200x80000000000000005500813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\VBA\7.1\Common 12241200x80000000000000005500812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\VBA\7.1 12241200x80000000000000005500811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000005500788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.535{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{2949E8A4-4BB1-4F54-9E92-0E0F1D182186}.tmp2021-09-08 19:43:03.535 12241200x80000000000000005500787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.519{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL7.1.16.13801Microsoft Visual Basic for Applications componentMicrosoft Visual Basic for ApplicationsMicrosoft CorporationVBEUI.DLLMD5=FAECA7282B7A44B8A028683CF4557130,SHA256=69F0E7933999B73F579F1301678DB4A0B1367B4A07DB0F8F0218DCDE2B4EB318trueMicrosoft CorporationValid 12241200x80000000000000005500785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.535{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.519{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.488{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\System\msvcr100.dll10.00.40219.1Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2010Microsoft Corporationmsvcr100_clr0400.dllMD5=DF3CA8D16BDED6A54977B30E66864D33,SHA256=1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36trueMicrosoft CorporationValid 12241200x80000000000000005500760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.457{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBE7.DLL7.01.1108Visual Basic Design Time EnvironmentVisual Basic EnvironmentMicrosoft Corporation-MD5=962CAEF91E79619B08D97DCF7CEC13C3,SHA256=4343F2C48692D253A4BA5FCA3EC7F7C675CEFDD778E4A0320524DABABBA2D60DtrueMicrosoft CorporationValid 12241200x80000000000000005500735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.488{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005500712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.473{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FFtrueMicrosoft WindowsValid 12241200x80000000000000005500711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.457{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005500710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.426{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\VBA\Forms3\Controls\EnableActiveXControlMSWebBrowserArchiteturePersistenceIssueDWORD (0x00000000) 13241300x80000000000000005500709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.426{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\VBA\Forms3\Controls\EnableActiveXControlArchitetureIndependentDWORD (0x00000000) 12241200x80000000000000005500708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.426{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\VBA\Forms3\Controls 12241200x80000000000000005500707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.426{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\VBA\Forms3 12241200x80000000000000005500706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.426{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\VBA 13241300x80000000000000005500705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.426{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\ExdCache\Word8.0\MSComctlLibDWORD (0x00000001) 13241300x80000000000000005500704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.426{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\ExdCache\Word8.0\MSFormsDWORD (0x00000001) 12241200x80000000000000005500703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.426{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\ExdCache\Word8.0 12241200x80000000000000005500702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:03.426{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\Common\ExdCache 13241300x80000000000000005500701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:03.426{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000100000000F01FEC\Usage\VBAFilesDWORD (0x53280001) 11241100x80000000000000005500700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.426{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4183A1D2973C8CA6EE8C307AEB51C20E,SHA256=F8DCCEC1BFA528DFFD635246B1C1C1D3DE5D0CE263C83BC00D92C68B3D8815BCfalsetrue 22542200x80000000000000005500698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:47.621{4DF467A6-1238-6139-BCD6-00000000F001}6444self.events.data.microsoft.com0type: 5 self-events-data.trafficmanager.net;type: 5 onedscolprdwus06.westus.cloudapp.azure.com;::ffff:20.189.173.7;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000005500697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:03.207{4DF467A6-3F58-6132-2B00-00000000F001}29486956C:\Windows\sysmon64.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551307Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:03.232{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=836E8061D41510543F530A462968FFAC,SHA256=9D87A8F0E0306258C255E244C30B1F211A5988CA7CEC3320C3BF53D97F21E8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551306Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:03.231{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8082AFB3337733FE4A9AFF538F3A1AFB,SHA256=B3DB1FA4A6C28083BDA1E1612A29BF33CD485E157791E0084E8028B878066B2E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005500928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:04.660{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:04.660{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE97C09AD170CEC3BBAB20564C8F6F5C,SHA256=1BE7A2AE585BE6DED2C59EDDE71CA3742A468F4F8F335B033E5EA3C9366141C6falsetrue 23542300x80000000000000001551310Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:04.501{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E48799AF89ABEAE06092C68487F8FA3,SHA256=E004118EA28E168FB738147228331D099D771FCA790B105EFBE10EDA9079E5F7,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000005500926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.441{4DF467A6-3F58-6132-2B00-00000000F001}29487.173.189.20.in-addr.arpa.9003-C:\Windows\sysmon64.exe 22542200x80000000000000005500925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:49.381{4DF467A6-3F58-6132-2B00-00000000F001}294839.0.73.104.in-addr.arpa.0type: 12 a104-73-0-39.deploy.static.akamaitechnologies.com;C:\Windows\sysmon64.exe 11241100x80000000000000005500933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:05.816{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005500932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:05.816{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922961305C6AA67F006F66ACB60772C6,SHA256=A2D2CEBA850B4D2A1FC28E6085E341A1F1C1D294A260B09083C71BE268BE0486falsetrue 23542300x80000000000000001551311Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:05.504{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F005516DD557711FA1053B0B5E4E52F,SHA256=8B26439127A1D3B8A9BF7359F5277B175F04CE7BB6B67D03799C78FF06EE0094,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005500931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.456{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50890- 354300x80000000000000005500930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.425{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local50890- 734700x80000000000000005500929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:05.098{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 11241100x80000000000000005501062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:06.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000005501061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:06.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:06.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BA1E53D8289D5889AA48BB7E047AC3,SHA256=75EE2DEB0DDBDBA57A8D355D65C45A2F2B96A2EA86771B4A2407088525E31DE3falsetrue 23542300x80000000000000005501059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:06.941{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B331C30B6FF4FAE171B9264B357663C4,SHA256=93B91B850B69EF6E2DD75808C7906828A08BE05BB488948E6804CCBD3AC70A27falsetrue 23542300x80000000000000001551313Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:06.607{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=50ADCFC249A16A75352C310F732D47F6,SHA256=755E6958BA387E387BAA78587D0FAFCD5053B7551E549D248183570BA16C78FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551312Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:06.575{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611AEED558911EC71D597F5D804C12CE,SHA256=D4708D982D691D305B9C567E989CCF9F9D670D65F3C8FEB1424A1A08A83870A8,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005501058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:06.269{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FAtrueMicrosoft WindowsValid 734700x80000000000000005501057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:06.269{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll16.0.55555.10000Grammar Proofing ServiceMicrosoft OfficeMicrosoft CorporationMSGrammar8.dllMD5=226E8BFDAE2E5157512CD97901C4B3A2,SHA256=D77B275C0502165DA334F8316B2406A2F0E8180CA1D62B774D53BBC6543EED4DtrueMicrosoft CorporationValid 12241200x80000000000000005501056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005501055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005501054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005501053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.285{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005501032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:06.254{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FAtrueMicrosoft WindowsValid 12241200x80000000000000005501031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005501030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005501029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005501028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005501007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.269{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Spelling 12241200x80000000000000005501006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005501005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005501004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:06.238{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\MsSpellCheckingFacility.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Spell Checking FacilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMsSpellCheckingFacility.dllMD5=C0079D2D05B1563423C2BF0AED09CE87,SHA256=B55921D0A70FC3F5097010F49C6342E47F30F6B6EB4475CC4F7683954A00836EtrueMicrosoft WindowsValid 734700x80000000000000005501003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:06.238{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\MsSpellCheckingFacility.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Spell Checking FacilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMsSpellCheckingFacility.dllMD5=C0079D2D05B1563423C2BF0AED09CE87,SHA256=B55921D0A70FC3F5097010F49C6342E47F30F6B6EB4475CC4F7683954A00836EtrueMicrosoft WindowsValid 12241200x80000000000000005501002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005501001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005501000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.254{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005500978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.254{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x53280015) 13241300x80000000000000005500977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.254{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x53280014) 12241200x80000000000000005500976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005500975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005500974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:06.223{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\msproof7.dll16.0.55555.10000Proofing ServicesNatural Language ComponentsMicrosoft CorporationMSProof7.dllMD5=0B5AE10DC8D082C28CD1F7C66DBF6063,SHA256=53075E69BF554B0560B3E0B5E726B4F34326DBD0967EE29DC84E1AF8778A51B8trueMicrosoft CorporationValid 13241300x80000000000000005500973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.238{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 13241300x80000000000000005500972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.238{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 13241300x80000000000000005500971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.238{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 12241200x80000000000000005500970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005500969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005500968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005500967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 13241300x80000000000000005500966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.238{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 12241200x80000000000000005500965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005500964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PendingChanges 12241200x80000000000000005500958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000005500955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.238{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 12241200x80000000000000005500954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005500948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005500947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005500946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.238{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005500944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:06.223{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000005500943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x53280009) 13241300x80000000000000005500942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x53280008) 13241300x80000000000000005500941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x53280009) 13241300x80000000000000005500940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x53280008) 13241300x80000000000000005500939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x53280013) 13241300x80000000000000005500938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x53280012) 13241300x80000000000000005500937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x53280007) 13241300x80000000000000005500936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x53280007) 13241300x80000000000000005500935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:06.191{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x53280011) 354300x80000000000000005500934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:50.581{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49837-false10.0.1.12-8000- 11241100x80000000000000005501064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:07.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:07.973{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69BFA3C66726E2DCA630B82DC19197C,SHA256=0D6F04C62059F48F1C1FB4C7674A7A0E2A58D55856B1B8679CD00054F68D3921falsetrue 23542300x80000000000000001551314Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:07.594{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AA01ADA9006CA174060324F91DB3FC,SHA256=C32E14318494596D8BFD3B4BA69B371803B72E392D4DDD9299F2A8BB9EF7E36F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551317Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:08.611{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B220F1832C22AEF8B9F7AF076335FB3,SHA256=3E72A84BE3A748E9A37059025B7E322E5ED8E165C894A84B7307FE63B279237C,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005501212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.910{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exeC:\Windows\System32\winbrand.dll10.0.14393.4530 (rs1_release.210705-0736)Windows Branding ResourcesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinbrand.dllMD5=79E4DAD0DB8F0D1258F7092007354241,SHA256=DDFCF94DA71C8F49DC505F2FC94540037A0955BE831BF59C34BFBB62A998FB20trueMicrosoft WindowsValid 12241200x80000000000000005501211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005501210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005501209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005501208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.910{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005501187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.910{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 13241300x80000000000000005501186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:08.910{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005501185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:08.910{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000005501184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.910{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.910{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.910{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.910{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 10341000x80000000000000005501178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005501177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005501176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000005501175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000130666\VirtualDesktopBinary Data 10341000x80000000000000005501174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005501173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000130666 10341000x80000000000000005501172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005501166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D96C40CC47ABD0006AFEBAFC7C4BB103,SHA256=B44CC8BBDD32E34015DF81D5BEE0D80DB6E8B9E152640D3A89659FD044657E98falsetrue 734700x80000000000000005501164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000005501163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.894{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x80000000000000005501162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.879{4DF467A6-3F48-6132-1600-00000000F001}12487364C:\Windows\system32\svchost.exe{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.879{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.879{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000005501159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.879{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000005501158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.879{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005501157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.879{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000005501156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.879{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005501155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.879{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000005501154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.879{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000005501153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.832{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005501152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.816{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 10341000x80000000000000005501151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.660{4DF467A6-124C-6139-C0D6-00000000F001}62447460C:\Windows\system32\conhost.exe{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.660{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000005501149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.644{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005501148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.644{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000005501147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.644{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005501146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.644{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005501145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.644{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000005501144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.644{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005501143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.644{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005501142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.644{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005501141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.644{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005501140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.644{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005501139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.644{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005501138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.629{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005501137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.629{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005501136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.629{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4583 (rs1_release.210730-1850)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=2FB0A16E47FFDD4CBB3E80E58ECD8AE1,SHA256=943949336C9A3707F0A9FFD76A6D20278B6EE72513E8D193D04B27133C36B7C6trueMicrosoft WindowsValid 734700x80000000000000005501135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.629{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000005501134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.629{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000005501133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.629{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005501132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.629{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005501131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.629{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005501130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.629{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000005501129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.635{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" 734700x80000000000000005501128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.629{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005501127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.613{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005501126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.598{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005501125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.582{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2trueMicrosoft WindowsValid 10341000x80000000000000005501124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.582{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005501123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.582{4DF467A6-1238-6139-BCD6-00000000F001}64447732C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d75ce|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d67fe|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d715a|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+cfd8e|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d09d7|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005501122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.594{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" C:\Windows\system32\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 734700x80000000000000005501121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.566{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 12241200x80000000000000005501120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005501119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005501118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005501117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005501096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.582{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005501095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005501094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.566{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 12241200x80000000000000005501093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005501092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005501091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005501090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005501069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.566{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 12241200x80000000000000005501068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000005501067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:08.566{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000005501066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.098{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:08.098{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DCD02898A9734714988326CC2B840B8B,SHA256=BF1D93D2605686F361B8B87ACB66FF042340661135237E0E924DB4BCB34F434Bfalsetrue 23542300x80000000000000001551316Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:08.263{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA558E02CAB729A753445219FA01FBD8,SHA256=CCAA91E63F5AB413DD145EBDC3D1F4E462A9654962A30576B145E0FF46421343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551315Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:08.263{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=836E8061D41510543F530A462968FFAC,SHA256=9D87A8F0E0306258C255E244C30B1F211A5988CA7CEC3320C3BF53D97F21E8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551319Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:09.613{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4B008BEE43A923F2C9CC13D33C0ADD,SHA256=B651396E43061EAFF9B3D721D2497848501E90BC27271EA0D4A03D12BD9ACFDF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:09.598{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:09.598{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=535B9ED1DD071EFFD4FF73668E23A4D9,SHA256=E231A6A1113192B3E93474D56D3F66F44C34867C87A2067B5ECB8C181842B903falsetrue 11241100x80000000000000005501216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:09.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:09.269{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9076C9757B476F8C2248873A890BAC7A,SHA256=17781215E46D6237642E9B670CFFC2AA33A9CFE05BC00A245ECED77AEEC030F4falsetrue 11241100x80000000000000005501214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:09.238{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:09.238{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A27CFE28F622B4E2A43E4FD668F3D7C,SHA256=4D17346B251813EA6850F7A75B898288E770863CDCB67C9785D9D5FDA2A2E6EBfalsetrue 354300x80000000000000001551318Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:01.862{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61747-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551320Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:10.630{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08065DDE63FA309D47D33D05EEAFF0FC,SHA256=7C5735F82DB5A85E3B9B1F1341E219373AB42F593EA004849DD73DCCD30B8E95,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005501233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:10.613{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000130666\VirtualDesktopBinary Data 12241200x80000000000000005501232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:10.613{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000130666 13241300x80000000000000005501231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:10.566{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005501230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:10.566{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005501229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:10.566{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000005501228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:10.566{4DF467A6-124C-6139-C0D6-00000000F001}6244C:\Windows\System32\conhost.exe 12241200x80000000000000005501227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:10.551{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000130666 13241300x80000000000000005501226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:10.551{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005501225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:10.551{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 10341000x80000000000000005501224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:10.551{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:10.551{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000005501222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:10.551{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe 824800x80000000000000005501221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:10.551{4DF467A6-4446-6132-EC05-00000000F001}1764C:\Windows\System32\csrss.exe{4DF467A6-124C-6139-BFD6-00000000F001}6992C:\Windows\System32\cmd.exe24840x00007FFEB1557C90C:\Windows\System32\KERNELBASE.dllCtrlRoutine 11241100x80000000000000005501220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:10.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:10.254{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7A6FEF4B1C83137ACAB9F5E291795B,SHA256=A5C52429094BFCAF783E8DC26E8B9AEB72C326EDB36CA416E0B55427FF114A9Cfalsetrue 23542300x80000000000000001551321Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:11.649{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633ECB26019947867EE82094518FA6B4,SHA256=183044552372FAC153F2E296ACB34CAC263CA36DFB8BE08445D1E6405613BA51,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:11.571{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:11.571{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16324C6A3380C4B04FF533D668372E62,SHA256=DBF66F54C4894E40D65E480CA59258FCB3758C75196A129EEE4E4BA0E293C37Cfalsetrue 354300x80000000000000005501238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:56.613{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49838-false10.0.1.12-8000- 11241100x80000000000000005501237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:11.274{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:11.274{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4523E1695F8F694D7D9DCD44BB20E98,SHA256=7E81E8F10B569A69A2C3CC9EC5FEE46C2A625D10E751EA56E063092A33098F3Bfalsetrue 12241200x80000000000000005501235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:11.274{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005501234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:11.274{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000001551322Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:12.656{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC77DB76B4F388A5DDA6269276E2A748,SHA256=D55292E4C4E08D91E72632C485014CFF42E1A50202283CE433DDF74422EB2B56,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:12.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:12.290{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4009E82D0A956E4EA798A59F173FB3DE,SHA256=31CFF2D1B55A3CFB33626F071714E876C4011A353DD31436DFDA55C29DEFE71Efalsetrue 23542300x80000000000000001551323Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:13.690{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81D174476F7DBCF223698FBA5011F2D,SHA256=2A1A6C8D79A480BA8BCBF24A2A2C7F17A451CE47B9EF83881B533B3379128A99,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:13.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:13.930{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F92E3E48EDE1ACD00E9AADBA4F97EF28,SHA256=6135CCAF33E9C2040B300388ACBD6ACAA85CC2D130270C095200E85FE789728Dfalsetrue 13241300x80000000000000005501250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:13.571{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005501249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:13.571{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 11241100x80000000000000005501248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:13.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:13.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2A6152F177905E039B3DA2EAC92599,SHA256=7DAE4337FDF0899663F8B53618ACC8A2DF4E2AE484DDD6547E49801F51B3661Bfalsetrue 354300x80000000000000005501246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.774{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49839-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005501245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:42:58.774{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49839-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005501244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:13.118{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:13.118{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=09D3E4B8F205BEE50C13752AF389AD54,SHA256=4ED927D78510E6D65E6952BDC8E0328ADFCDF9FE07865D80BF6013445B796DD8falsetrue 23542300x80000000000000001551327Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:14.859{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551326Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:14.692{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39A7BF7B2FE96A7A54D4A2AFA3BE42F,SHA256=CB5C8157FCF15B1DFC85D6189657826A8401CCA15FE90FFE84925873CF8FC585,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005501256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:14.665{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000140666\VirtualDesktopBinary Data 12241200x80000000000000005501255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:14.665{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000140666 11241100x80000000000000005501254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:14.352{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:14.352{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28FB9A84C7992F4BA1D52193EE1B97EF,SHA256=48CE8FFBDAB4BD48C70247A410BFD525732EE40875D8311B57CB628E3EC97F5Ffalsetrue 23542300x80000000000000001551325Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:14.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF5089BF59C0086AA13CEDDBD48B0072,SHA256=B621F38E04EC437DCE58551B230FCE6B06A7B85B59C571576D801A178A3487F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551324Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:14.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA558E02CAB729A753445219FA01FBD8,SHA256=CCAA91E63F5AB413DD145EBDC3D1F4E462A9654962A30576B145E0FF46421343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551330Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:15.879{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF5089BF59C0086AA13CEDDBD48B0072,SHA256=B621F38E04EC437DCE58551B230FCE6B06A7B85B59C571576D801A178A3487F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551329Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:15.694{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25CE751D20911961C55697037357D02,SHA256=AB57B513479561CF189BD77269E4A1F8A405E4695A63ECD2FB410229DECF35EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:15.399{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:15.399{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFCCA9917565CC85113258EF644CAB1,SHA256=A1D0015E42F3F372C53CB22F663739E6D1270C94FED3792CC04ADEFC356CBDF9falsetrue 354300x80000000000000001551328Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:07.805{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61748-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000005501259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:01.633{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49840-false10.0.1.12-8000- 11241100x80000000000000005501258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:15.180{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:15.180{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA36E2379A3BCAC87A1C56C427766F48,SHA256=202114E84738EBE1107C9165C6D198F58609EC084B24B9B2FF3B0ACB50F6A0FAfalsetrue 10341000x80000000000000001551340Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:16.727{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1254-6139-B3D0-00000000F101}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551339Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:16.727{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551338Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:16.727{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551337Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:16.727{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551336Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:16.727{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551335Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:16.727{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1254-6139-B3D0-00000000F101}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551334Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:16.727{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1254-6139-B3D0-00000000F101}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551333Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:16.712{AEE49BD1-1254-6139-B3D0-00000000F101}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551332Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:16.695{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D0CEC473027603791A1F17EADC768F,SHA256=BB361D25EBD72FCE90BD44DF2FC9BED75C2858EF1CB2A6186FADBC4357123CCE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:16.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:16.430{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE7A6BB4AE370ADBF508987ACE040CA,SHA256=1EDD8C9508F11D1FD481ED26F914BA883807CA506C720DA324FF9EB501296417falsetrue 354300x80000000000000001551331Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:09.455{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001551351Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.743{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C08EA9F1C24D122E27614348D9CD2F97,SHA256=302E8BE7DDCE797AB269192F19564C04ADF5F0FBF9F8E6F4E123E08B96FF5F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551350Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.696{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF274455284A8B9ADBA503B0F931645,SHA256=14D850E834CD11F6CE6E2F6007319D1DF8446629F622C801E1D33A692511466C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:17.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:17.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6965831DB2E12444827F030F51767A,SHA256=FEA79E2CAA72BCF2615A4BC7CC2E9BFC79415E4BBA2D9049A0B6502ED68B4FE8falsetrue 10341000x80000000000000001551349Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.543{AEE49BD1-1255-6139-B4D0-00000000F101}58201176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551348Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.412{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1255-6139-B4D0-00000000F101}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551347Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.412{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551346Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.412{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551345Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.412{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551344Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.412{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551343Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.412{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1255-6139-B4D0-00000000F101}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551342Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.412{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1255-6139-B4D0-00000000F101}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551341Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.397{AEE49BD1-1255-6139-B4D0-00000000F101}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551360Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:18.728{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7504C010E680889606922A3D50E408B0,SHA256=E006213840A3C6967AB3CAF9D9CC3BABA952F2B444EAC4BF6638AEB386697CEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:18.962{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:18.962{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=91012D7E07A438918D33D5139DC18F75,SHA256=D39C9BA9AC40EAC0E2834EE491E8C5B2DB305626F6650DC6F9D2BC29F777642Cfalsetrue 11241100x80000000000000005501269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:18.477{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:18.477{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5262BF1A94E3EF273D38DF15520BE9,SHA256=E3472F068B7D8D29D9A0B0BCBDE5B8D7087B1D035BB9345C513586051B4B738Efalsetrue 10341000x80000000000000001551359Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:18.096{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1256-6139-B5D0-00000000F101}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551358Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:18.096{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551357Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:18.096{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551356Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:18.096{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551355Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:18.096{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551354Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:18.096{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1256-6139-B5D0-00000000F101}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551353Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:18.096{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1256-6139-B5D0-00000000F101}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551352Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:18.081{AEE49BD1-1256-6139-B5D0-00000000F101}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005501267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:18.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:18.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6930E4511719AAF8E584E4101F687E70,SHA256=C154E553D82116FEE87F36B2E894A60143B390DBBCBFA5910D213014D893FACDfalsetrue 23542300x80000000000000001551362Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:19.745{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75CA85BE728CB1B0EB68EA30E5A79100,SHA256=165906F81FD7F516840D6638F876F9342FF85549CE5E129690F6AFE03A4A9A49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.743{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.743{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA667793F33A70A8BB599BCCCCB3CB6E,SHA256=356578E2503BF2968D3AE9C2C3815101A737B82E397EFDA06FBD4F95179FC966falsetrue 534500x80000000000000005501327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.587{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005501326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.587{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005501325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.587{4DF467A6-1257-6139-C1D6-00000000F001}39607272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.587{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005501323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.587{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001551361Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:19.082{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3816AD6C65930C9D5D8B8D960E35F9BA,SHA256=633848EEC2BC9C546C3FC41907004EF209498A4A4327B11F7563076342491478,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005501322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005501321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005501320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005501319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005501318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005501317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005501316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005501315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005501314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005501313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005501312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005501311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005501310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005501309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005501308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005501307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.462{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005501306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005501305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005501304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005501303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005501302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005501301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005501300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005501299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005501298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005501297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005501296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005501295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005501294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005501293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005501292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005501291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005501290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005501289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005501288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005501287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005501286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005501285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005501283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005501282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005501281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005501280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005501279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.446{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005501278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:19.431{4DF467A6-1257-6139-C1D6-00000000F001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005501277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:19.430{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:19.430{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:19.430{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:19.430{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:19.430{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:19.430{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001551364Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:20.765{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BB5DA53DEBE53FA7B1C2E406837CA9,SHA256=8238EE189155E7FAFCE7744FB326217714009E5C3850D54101810DB83D73C4D9,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005501456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.946{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005501455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.946{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005501454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.946{4DF467A6-1258-6139-C3D6-00000000F001}8281944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.946{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005501452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.946{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005501451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.884{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.884{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB47E54210692302076FF3B40F9FD75A,SHA256=6F10F554D6B253DBD8AB5F2D2FE181A39F60CD15394DB6CD54A20124372A25D3falsetrue 734700x80000000000000005501449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.837{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005501448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005501447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005501446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005501445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005501444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005501443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005501442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005501441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005501440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005501439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005501438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005501437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005501436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005501435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005501434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005501433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005501432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005501431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005501430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005501429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005501428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005501427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005501426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005501425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005501424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005501423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005501422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005501421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005501420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005501419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005501418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005501417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005501416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005501415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005501414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005501413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005501412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005501410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005501409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005501408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005501407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005501406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.821{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005501405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.806{4DF467A6-1258-6139-C3D6-00000000F001}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005501404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:20.805{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:20.805{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:20.805{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:20.805{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:20.805{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:20.805{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000001551363Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:12.812{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x80000000000000005501398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:20.493{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeWordBinary Data 11241100x80000000000000005501397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B149FDA36502EC34E779980A1A9D20C1,SHA256=3C52A6A7161506600CA261EFB60DA756BA38C7959ADF1EC85C622FB9D2098039falsetrue 11241100x80000000000000005501395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.446{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46DE643A8FEBE05CC36F44DB31A436E9,SHA256=7FB6B43F2CF56CF9440C642BF7633EC22C13EA12DAD17166E9BF61A9E0AE1B0Cfalsetrue 12241200x80000000000000005501393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:20.290{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PendingChanges 13241300x80000000000000005501392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:20.290{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\PlaceholderDWORD (0x00000000) 13241300x80000000000000005501391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:20.290{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\Settings\1065\{00000000-0000-0000-0000-000000000000}\KnowledgeQWORD (0x00000000-0x00000003) 13241300x80000000000000005501390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:20.290{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\Identities\877fd83f-3dba-4665-9010-4319bfad7aca_ADAL\LastWriteBinary Data 534500x80000000000000005501389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.259{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005501388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.259{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005501387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.259{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005501386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.259{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005501385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.149{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005501384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.149{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005501383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.149{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005501382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:20.149{4DF467A6-1258-6139-C2D6-00000000F001}5360\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005501381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.149{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005501380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005501379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005501378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005501377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005501376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005501375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005501374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005501373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005501372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005501371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005501370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005501369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005501368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005501367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005501366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005501365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005501364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005501363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005501362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005501361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005501360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005501359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005501358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005501357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005501356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005501355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005501354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005501353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005501352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005501351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005501350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005501349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005501348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005501347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005501346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005501345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005501344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005501343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005501341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005501340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005501339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005501338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.134{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005501337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.118{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005501336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:20.119{4DF467A6-1258-6139-C2D6-00000000F001}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005501335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:20.118{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001551365Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:21.769{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE576ADD7375851412D2EBE0C532466,SHA256=F93ADDAA2150DB3D6A69E3C5E639E13826F169DACB82A540E3068EDFF65987A0,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000005501515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:07.117{4DF467A6-1238-6139-BCD6-00000000F001}6444roaming.officeapps.live.com0type: 5 prod.roaming1.live.com.akadns.net;type: 5 us2.roaming1.live.com.akadns.net;::ffff:52.109.20.16;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 534500x80000000000000005501514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.634{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005501513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.634{4DF467A6-1259-6139-C4D6-00000000F001}51723932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.634{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005501511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.634{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005501510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.524{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005501509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.524{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005501508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.524{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005501507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:21.524{4DF467A6-1259-6139-C4D6-00000000F001}5172\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005501506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.524{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005501505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005501504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005501503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005501502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005501501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005501500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005501499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005501498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005501497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005501496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005501495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005501494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005501493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005501492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005501491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005501490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005501489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005501488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005501487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005501486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005501485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005501484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005501483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005501482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005501481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005501480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005501479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005501478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005501477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005501476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005501475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005501474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005501473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005501472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005501470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005501469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005501468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005501467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005501466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.509{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005501465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:21.494{4DF467A6-1259-6139-C4D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005501464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:21.493{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:21.493{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:21.493{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:21.493{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:21.493{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:21.493{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000005501458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:07.586{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49842-false10.0.1.12-8000- 354300x80000000000000005501457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:07.209{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49841-false52.109.20.16-443https 23542300x80000000000000001551366Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:22.807{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116D34D4BBAF5414B37D57D03058E820,SHA256=F5C438FB29372759186B98C12C2491C2747B7E7AC137F4B2E92877AC123D0827,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005501634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.868{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005501633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.868{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005501632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.868{4DF467A6-125A-6139-C6D6-00000000F001}27367972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.852{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005501630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.852{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005501629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.743{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005501628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.743{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005501627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005501626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005501625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005501624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005501623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005501622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005501621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005501620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005501619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005501618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005501617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005501616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005501615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005501614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005501613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005501612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005501611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005501610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005501609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005501608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005501607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005501606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005501605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005501604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005501603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005501602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005501601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005501600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005501599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005501598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005501597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005501596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005501595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005501594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005501593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005501592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005501591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005501589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005501588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005501587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005501586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.727{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005501585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.712{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005501584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.712{4DF467A6-125A-6139-C6D6-00000000F001}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005501583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:22.712{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:22.712{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:22.712{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:22.712{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:22.712{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:22.712{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005501577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.165{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005501576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.165{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005501575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.165{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005501574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.165{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005501573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.055{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005501572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.055{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005501571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.055{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005501570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:22.055{4DF467A6-125A-6139-C5D6-00000000F001}5100\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005501569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.055{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005501568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:22.055{4DF467A6-125A-6139-C5D6-00000000F001}5100\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005501567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.055{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005501566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.055{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005501565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.055{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005501564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.055{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005501563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005501562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005501561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005501560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005501559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005501558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005501557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005501556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005501555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005501554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005501553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005501552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005501551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005501550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005501549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005501548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005501547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005501546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005501545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005501544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005501543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005501542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005501541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005501540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005501539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005501538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005501537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005501536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005501535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005501534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 734700x80000000000000005501533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 23542300x80000000000000005501532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E403FACEFB0A475C330D4EE51DBC5E32,SHA256=2B63F7207E0A80F013F3524076448EA6C2ABF2D68A21E784BEDC947133E7876Bfalsetrue 734700x80000000000000005501531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005501530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005501529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005501528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005501527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.040{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005501526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.030{4DF467A6-125A-6139-C5D6-00000000F001}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005501525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:22.024{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:22.024{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:22.024{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:22.024{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:22.024{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:22.024{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005501519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.024{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.024{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C8C9AE81174A4FD892339CF53191A4,SHA256=58B9499B360E055E6304C45CB99E782DEC12236B4B75074704140817F1DF506Dfalsetrue 11241100x80000000000000005501517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.024{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:22.024{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B149FDA36502EC34E779980A1A9D20C1,SHA256=3C52A6A7161506600CA261EFB60DA756BA38C7959ADF1EC85C622FB9D2098039falsetrue 23542300x80000000000000001551367Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:23.810{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DBA2B3744FBC377238C845F638D95D,SHA256=2FFC7B7F74A3CDC23021D20BA06F0C7EA490BAB10FB65A07A38013DCB8268743,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005501698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.555{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005501697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.540{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005501696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.540{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005501695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.540{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005501694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.430{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005501693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.430{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005501692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005501691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005501690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005501689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005501688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005501687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005501686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005501685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005501684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005501683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005501682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005501681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005501680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005501679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005501678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005501677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005501676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005501675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005501674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005501673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005501672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005501671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005501670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005501669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005501668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005501667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005501666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005501665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005501664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005501663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005501662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005501661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005501660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005501659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005501658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005501657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005501656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005501654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005501653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005501652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005501651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.415{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005501650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.399{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005501649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.400{4DF467A6-125B-6139-C7D6-00000000F001}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005501648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:23.399{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:23.399{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:23.399{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:23.399{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005501644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:23.399{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005501643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:43:23.399{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005501642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.196{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.196{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C62BBE8C327E81C72ABF3FA5095A0759,SHA256=1AAD43C2410D0A6085F4A473C8FF9BCA104150DAA42005DD0457644A3D434F8Efalsetrue 11241100x80000000000000005501640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.196{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.196{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E893D781885A1B9B11242A186CD268,SHA256=7942656B239DE62CE1F5C02832B3DF9D57F3DC53B99E7304FF7ED83C5CE17124falsetrue 11241100x80000000000000005501638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.180{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.180{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486DAE3C849617C638EE6EFB54D233EB,SHA256=42342AFFC9BF736850106FB96C92F03CA4E2460C4EDBBE2D952D989E0275F7E6falsetrue 11241100x80000000000000005501636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.180{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.180{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDCBDF06B02FF8CE0017FE883AB2C6D3,SHA256=FF584409D7285A71462E1F994FCB3F34E2DC8C98CA510AFAE7A4E9FAAFE5F16Ffalsetrue 23542300x80000000000000001551370Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:24.812{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C7CC7D2FE2B0F9CAE92D0234924329,SHA256=69ADB3E62E1A9E0B7EB5084CBAD677C033DFBBF703876696516545B02A108F67,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005501714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:24.852{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005501713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:24.852{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000005501712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.837{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.837{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005501710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:24.837{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005501709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:24.837{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005501708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.837{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.837{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.837{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.837{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-9719-6137-95A6-00000000F001}4996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005501704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.415{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.415{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7DD018F8DC12151D55EBCB91D18286D,SHA256=0E59C8FC1B69A09864FDD2F3D67794EAED7513BBF4BDBA13111AF5AE62E056F2falsetrue 11241100x80000000000000005501702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA65545E3BC6507A49173EFB39792EE5,SHA256=F414C3E048B2846D45BC26F3535708658481CD653168BEE70A18889CBDEECD93falsetrue 23542300x80000000000000001551369Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:24.242{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EE05C30FD1D08D9F03FA0B1B8AF2DCE,SHA256=4311A26C0C075BD29F243567CC0EC84C7F1FD69049D8ACC4605E8572FF74AC12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551368Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:24.242{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFA39001979BA60360322890ABC4FD47,SHA256=7167D10CDD3D13D5436ADCB48792C80962C7B1CD0E28FD27260B227A63732F7C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.024{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:24.024{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0226041E397E118913DB041881FC4EC5,SHA256=73E34E4D377E2E1DF910861AE24992F841F99102FD013E0E5587DC0BE4EC277Bfalsetrue 23542300x80000000000000001551372Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:25.830{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D09BB65F99F7A6E287C40A8F8B22AD,SHA256=BE7E6A433F20ED824C66026723C02E17DF061D12A2B78506989709C41530F1D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.571{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.571{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6B05297E8A79C7F7AC7C2F44B0B198,SHA256=A2CEAE95900179B427A4974E859B2B2D00ACB24AAFCC03D1676C710B2F84CEC6falsetrue 354300x80000000000000001551371Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:17.824{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61751-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005501763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.321{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005501762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.321{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=22068F22CC054B64FD6D93671A99CD75,SHA256=74822D43540E2181E0CAA2A6796B3D83B07EAAFE7F299619A5021449ABA99C4Afalsetrue 534500x80000000000000005501761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.321{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exe 11241100x80000000000000005501760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.321{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005501759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.321{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=22068F22CC054B64FD6D93671A99CD75,SHA256=74822D43540E2181E0CAA2A6796B3D83B07EAAFE7F299619A5021449ABA99C4Afalsetrue 11241100x80000000000000005501758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.321{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-09-03 15:25:16.281 23542300x80000000000000005501757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.321{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B311D9E097910793A08D610A3E2313E8,SHA256=FC6F97402901D67DB5D1A6E58CDAA76F3C99A476A04405CA05533DC4E96EB126falsetrue 12241200x80000000000000005501756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKCR 734700x80000000000000005501755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.305{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\taskschd.dll10.0.14393.4402 (rs1_release.210426-1725)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=76BF5CA81C749140E05C7519B13B299E,SHA256=D5CBDB2EEE67E582198F9DB213EC95DF9107F08D646E67FFA723066CC434B515trueMicrosoft WindowsValid 12241200x80000000000000005501754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005501753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005501752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005501751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.321{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.305{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000005501731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\ActionsBinary Data 13241300x80000000000000005501730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\TriggersBinary Data 13241300x80000000000000005501729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\URI\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask 13241300x80000000000000005501728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Description$(@%%systemroot%%\system32\sppc.dll,-201) 13241300x80000000000000005501727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Author$(@%%systemroot%%\system32\sppc.dll,-200) 13241300x80000000000000005501726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Source$(@%%systemroot%%\system32\sppc.dll,-200) 13241300x80000000000000005501725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SecurityDescriptorD:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323) 13241300x80000000000000005501724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Version1.0 13241300x80000000000000005501723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SchemaDWORD (0x00010005) 13241300x80000000000000005501722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\HashBinary Data 13241300x80000000000000005501721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\IndexDWORD (0x00000003) 12241200x80000000000000005501720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.305{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6680E717-711A-4466-96EB-E81A2DACFBEB} 10341000x80000000000000005501719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.305{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.305{4DF467A6-3F46-6132-0B00-00000000F001}6364064C:\Windows\system32\lsass.exe{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.305{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x80000000000000005501716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:25.305{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005501715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:25.305{4DF467A6-123B-6139-BED6-00000000F001}5740C:\Windows\System32\sppsvc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 23542300x80000000000000001551373Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:26.849{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00FFD229BCE6A7C06A240CE8750A780,SHA256=78B7D764BA31E514D146ABD1EFFAB387F5FC7C08D9294A46935B4DC7836608A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:26.665{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:26.665{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE188360B97B3AC7EB714E1172ED72AB,SHA256=7BB81654E489347FDAF1401E60B69D7D443B658F54CC4839C5676A423B384E55falsetrue 11241100x80000000000000005501771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:26.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:26.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80B987B92162FA9ABFBEC355211B7F46,SHA256=918D24E2BC5158D861A1AD31DE3CC04A0FD72DB764BB0AEA7A45892671943296falsetrue 11241100x80000000000000005501769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:26.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005501768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:26.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=84BF2404930C6865359B5D16C56D3C69,SHA256=997CE2B15B9ADA574552FCC473566AA9E42225B1FA547CAC42A911466B847F9Cfalsetrue 11241100x80000000000000005501767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:26.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005501766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:26.337{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6DF6F3766A5DD7762ECD7BDFA887ADB3,SHA256=3708DFC0BD806BA31170BDA57AA9D9D1AB4FEA46230BED6A243DC13469425058falsetrue 23542300x80000000000000001551374Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:27.852{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248F97F0BFC0D0F220D1EE0FF48861D1,SHA256=FC9F7ECA0131298498D5E79B6E19919A7EB3D0BD9F41420D560FC29C98C95D74,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005501778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:27.868{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005501777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:27.868{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 354300x80000000000000005501776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:13.570{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49843-false10.0.1.12-8000- 11241100x80000000000000005501775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:27.680{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:27.680{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A9062D930D2C462F91DF8CA7FCBCFC,SHA256=D19ADE5A3CBC13022789FB09D0BB9383F1B0019D8630D4990C3513E9A45168EFfalsetrue 23542300x80000000000000005501785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:28.887{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7268MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005501784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:28.886{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-72682021-09-08 19:43:28.885 11241100x80000000000000005501783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:28.885{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-72692021-09-08 19:43:28.885 11241100x80000000000000005501782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:28.682{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:28.682{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EB40DAB57AD41BE1683943FC062CEA,SHA256=A32DA06B87E2ACA3F6D38EDF25C4D985ED1731F11252861753DB9E69EE63E452falsetrue 23542300x80000000000000001551375Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:28.855{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBA18F5A31AC29F409771B133595968,SHA256=0D934CFAD7CAB99CA9AA9E76C15AEDC43B135DFE6E0E062546A9A42F6A3FB2A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:28.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:28.227{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB818103626E8A304CB6A2F99759F729,SHA256=5E4E1A160BAEA186A937388A1BE18EE7A7F88940C12FEC1E08BBB4690820BBC5falsetrue 23542300x80000000000000005501790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:29.900{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7269MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005501789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:29.697{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:29.697{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE13E43A7106D3572EAF5821F860E75,SHA256=6474CDE223FEB2B405D94BB3F051CEF103C089F717B14B331B4C917A9531CF7Cfalsetrue 11241100x80000000000000005501787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:29.056{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:29.056{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=38A6C2D94C2A96E0E6B5D3B96F09AA97,SHA256=495DC477B30DCB8C2B9895858D4583736891F4A1A9E6A236D0C73011D15AA552falsetrue 23542300x80000000000000001551376Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:29.873{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B74D02B88D00EB3AEB2E6B40A1DEF6,SHA256=A592A8EA7D1CFD93E456173F20971FDAD0133C2A4EC2B84F037FF0331FFEE685,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:30.997{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005501794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:30.997{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5125AE76CDE556204697753B61F78C66,SHA256=88A84D52739ACF85008BDB87269CEF31632ED04546D616C78FB77AC6BDC5A044falsetrue 11241100x80000000000000005501793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:30.713{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:30.713{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E89615760CFF8573311EEE2C213DD64,SHA256=1D25598AEAB5C0D8A078F1B3F36F8F79DAA02FB285A2EE9CF0AE3281B8E4EAE1falsetrue 23542300x80000000000000001551380Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:30.875{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E02B4B091656D5827A72B8DAA28E9E8,SHA256=9C14A901957D3A06EC4B0516C6E66DF00885DE8AEE59340D0FD4541FF9D59F66,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005501791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:30.022{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 354300x80000000000000001551379Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:23.787{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61752-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551378Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:30.192{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5A035CE54E6C6A46D696E3A6A640D25,SHA256=5511B8BDEF77E2E2E2B212B8A00A86439FCDE954C0BF1F3590E1A3ADB042E979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551377Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:30.191{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EE05C30FD1D08D9F03FA0B1B8AF2DCE,SHA256=4311A26C0C075BD29F243567CC0EC84C7F1FD69049D8ACC4605E8572FF74AC12,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:31.982{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:31.982{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B483308B4C2329C8845F93A14919BBA3,SHA256=B8DEE784463BFC9BE52B1F3DE73549E000DFF0831A70D7904BA6986B752F1CCEfalsetrue 11241100x80000000000000005501799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:31.982{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:31.982{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F46145AFB9E68B71CA21E136A16FC0E4,SHA256=74E80C42DDA435DCD1B4C83CA1AAC5C03919A864D48D4D43A3F7CA74DBA20A41falsetrue 11241100x80000000000000005501797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:31.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:31.716{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB392E7BD88E4F7F1703CDC62080F25,SHA256=18795450C6F97E5087868E862AEA0AACA269540886389D5704A03FF5B4266D70falsetrue 23542300x80000000000000001551390Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:31.876{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552A5E6CC3DDE446AB8E9712AFBB6139,SHA256=D25E9EB07A9991AF96A396A169CB27C06506F8EB927B90502F5DC28FDF0C2F8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551389Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:31.729{AEE49BD1-1263-6139-B6D0-00000000F101}50044172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551388Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:31.598{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1263-6139-B6D0-00000000F101}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551387Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:31.598{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551386Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:31.598{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551385Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:31.598{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551384Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:31.598{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551383Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:31.598{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-1263-6139-B6D0-00000000F101}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551382Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:31.598{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1263-6139-B6D0-00000000F101}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551381Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:31.592{AEE49BD1-1263-6139-B6D0-00000000F101}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005501804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:32.810{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:32.810{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9332CF43B22FED0771873778B150B33C,SHA256=FC946FFDA7621513B33ED3D8F37FAC93F880C202983952088F5C76C3BCA1BD13falsetrue 10341000x80000000000000001551409Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.978{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1264-6139-B8D0-00000000F101}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551408Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.978{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551407Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.978{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551406Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.978{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551405Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.978{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551404Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.978{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-1264-6139-B8D0-00000000F101}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551403Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.978{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1264-6139-B8D0-00000000F101}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551402Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.963{AEE49BD1-1264-6139-B8D0-00000000F101}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551401Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.899{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06BC57E57B86C17AAA25D66569B97C5B,SHA256=E8E8D0148A7A93ECB3867DF691D269C6F9749FD58734B60C8CFB55E0286E25E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005501802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:18.574{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49844-false10.0.1.12-8000- 23542300x80000000000000001551400Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.597{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5A035CE54E6C6A46D696E3A6A640D25,SHA256=5511B8BDEF77E2E2E2B212B8A00A86439FCDE954C0BF1F3590E1A3ADB042E979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551399Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.414{AEE49BD1-1264-6139-B7D0-00000000F101}51164544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551398Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.295{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1264-6139-B7D0-00000000F101}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551397Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.293{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551396Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.293{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551395Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.293{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551394Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.293{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551393Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.293{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1264-6139-B7D0-00000000F101}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551392Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.292{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1264-6139-B7D0-00000000F101}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551391Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:32.277{AEE49BD1-1264-6139-B7D0-00000000F101}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551412Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:33.997{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CCDB795C951ECFDAA10532948C3B613,SHA256=AFCFF3EABEC5D5D4BDAE3D0C18F0A86FCDF0226B8CC37BF9138BE85FBC3A09DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551411Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:33.900{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F94FE0A98B8AC98D2CF7AA65AD9650,SHA256=07D33614948DFB7F53437DF9CFCA05DC325EDC84765599DB105BD9D125DA1D72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005501822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.857{4DF467A6-1238-6139-BCD6-00000000F001}64446520C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52cbf|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52c5a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52bd6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+5259d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+7cc7f|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1e87dc|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005501821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:33.857{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005501820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:33.857{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000005501819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:33.857{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005501818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:33.857{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 10341000x80000000000000005501817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.857{4DF467A6-43FD-6136-8C7E-00000000F001}966264C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.857{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.857{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005501814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8361E2FEBBA62CBF95EEE6EA5EE7A077,SHA256=6F81596C702496969B93FDE917932EA740CBA3D4CE90AFA8E9CA787F9A70B34Cfalsetrue 11241100x80000000000000005501812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6585C358C6B9284E3959582DA3D47B9E,SHA256=A9F526E7C2C89CA808C7AF16B3897214C9E770361FA4B6C7CB2AC84D8D0298A5falsetrue 24542400x80000000000000005501810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.044{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=19C47606F34C7C7D8DCEF1E5ED08FD8E,SHA256=243A8231DB4B0B0D29B18ABB7335FBAD497AEB9104260FC635113B0E5A4A50C4true 10341000x80000000000000005501809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.044{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.044{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005501807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeC:\Sysmon\CLIP-19C47606F34C7C7D8DCEF1E5ED08FD8E243A8231DB4B0B0D29B18ABB7335FBAD497AEB9104260FC635113B0E5A4A50C42021-09-08 19:43:33.044 10341000x80000000000000005501806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.044{4DF467A6-1238-6139-BCD6-00000000F001}64446520C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52cbf|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52c5a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+52bd6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+5259d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+7cc7f|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1e87dc|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1210|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1602|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:33.044{4DF467A6-3F58-6132-2B00-00000000F001}29486000C:\Windows\sysmon64.exe{4DF467A6-9719-6137-94A6-00000000F001}3852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551410Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:33.099{AEE49BD1-1264-6139-B8D0-00000000F101}57724848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551413Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:34.903{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A1BED9F00EF1499705F06B4AC1715D,SHA256=DE77FC9DA59C5CD9DEE2FDDD3A009D99B4F449DC5E5E8CE416EA0790A1681DCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:34.841{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:34.841{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F38DA8399F0F83888E895A7674048DF,SHA256=388E9E4FB78B60E7BB73AFA8557709493455DD3703228344A16CD6B95783C310falsetrue 11241100x80000000000000005501824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:34.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:34.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=87487E9191F6CC3F6B0B3701AAC06E49,SHA256=2A2716EAEE5DA1D4174AC148B533B40BAB94E58A721DAA49954F258C0DA992F4falsetrue 11241100x80000000000000005501828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:35.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:35.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C459BAE4C5163A98BEB626A7221F576F,SHA256=F31569FB938A604374DDD0D25B3D698DB9FB8ADCAD14B8AA05B3F44250522595falsetrue 23542300x80000000000000001551414Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:35.906{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400ED106490BCF9E6EFB976BBDA9D7DD,SHA256=ACB77BCA9D459E6FA020B740C5C97F927E4C032FA2D6C20D9FE6871DC8C8D088,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:36.982{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:36.982{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204C369E1325500D50B579000A161A06,SHA256=BD329964B400CF2EB6DE99E5AE9CD3E60D000FA216BE1EDC453377556CD6B026falsetrue 23542300x80000000000000001551417Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:36.922{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249F32F598F8D50F42D3E7D18D81BEF7,SHA256=2CB16491F4DAC0E42472A5820CD36AFF393CE5A50879F5BBFEF9DA4F21E379CD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005501830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:36.872{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005501829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:36.872{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 354300x80000000000000001551416Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:29.651{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61753-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551415Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:36.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7604F4ACB7A02C6D264C0B808B8669F,SHA256=D9DDCFC4B6984E35AFC989BE6D1F95A95979C77CC3E1BBBFBBFDBB8E737B0929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551418Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:37.925{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A21DD7874048E7135B23F0388AF92B,SHA256=97CDB4B454255762A77A3EA454496694D9359010D0A48347798508BBBDBB81FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005501837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:23.761{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49845-false10.0.1.12-8000- 11241100x80000000000000005501836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:37.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:37.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E7ED8E206CD5C241D14FC699403A9FA,SHA256=0D9CAF62172BA5AB2F2CAAD5631D49C3F9740131DFFA04D6885CC326FDA494C2falsetrue 11241100x80000000000000005501834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:37.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:37.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B483308B4C2329C8845F93A14919BBA3,SHA256=B8DEE784463BFC9BE52B1F3DE73549E000DFF0831A70D7904BA6986B752F1CCEfalsetrue 23542300x80000000000000001551419Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:38.957{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F16BD123A4917FF07131734E5A040B,SHA256=9495796D745EBB51A04ED18E82D38C8AB7747A9FDF0A9C57FC36CA45C3C834B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:38.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:38.482{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B9D4BB9D642B6B1E965DA91FCFA66C5,SHA256=EEC2F5F8B580ACDDC1A61E7971FA97AE83CE35D55D2219C66F1232222BA9C2E7falsetrue 11241100x80000000000000005501839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:37.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:37.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4735EC98DB5C2458A673E22990ADC9,SHA256=558D84D8EB0C068C269334EFC4D1E6E8CE2478AE361BE5C83DA3CC0961574D67falsetrue 23542300x80000000000000001551420Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:39.960{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FFADC22CDF0B9248F7FA2A0E765151,SHA256=0DF9E778EBACE6F2DCDA9E693D4D93E18D4B0A6EAFFA9A0C4D50DD831A1BE1E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:39.200{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:39.200{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=83BA8D3D6EC08378A2FAF7447DE06E9D,SHA256=A1767E639E9B5818B72E54A1D7930374C5D8F37B0552D1B710C651BEF259298Bfalsetrue 11241100x80000000000000005501843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:39.028{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:39.028{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2A19A09ED867AE4ABBD69DDEBA3C60,SHA256=EDE92EA3BE8A151337CCC2584C45A4CA044C4D633A41554C5E830B0BD48E11D9falsetrue 23542300x80000000000000001551421Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:40.963{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A45E9ECD77B3B1C2B9FEE5149CDA62,SHA256=C3D77622AA9C032E40D26528E1CDF853376FD42BB37A3A2C9180AA0170946735,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:40.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:40.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0A8BEA95BA6EEB3D8E54E15233D004,SHA256=35E1F4276291878D1843EDE45A177F11FB830CE99B204E9BD146DC5EF00F863Cfalsetrue 23542300x80000000000000001551432Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:41.979{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163191366D4A17C2ABDAD0F8E3E3193B,SHA256=1B883F9249BE68925E6DE43B264B83EA5B71AEC78369842F9969E727BA271CB4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:41.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:41.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515EA3B992369A037E01D2EBE0ABEDFC,SHA256=A30CF2F2AD70AEF8D6876DC57FDAA6217D3C575AD2026580DB0068D95B6706D7falsetrue 354300x80000000000000001551431Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:34.661{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61754-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001551430Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:41.447{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-126D-6139-B9D0-00000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551429Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:41.447{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551428Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:41.447{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551427Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:41.447{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551426Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:41.447{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551425Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:41.447{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-126D-6139-B9D0-00000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551424Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:41.447{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-126D-6139-B9D0-00000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551423Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:41.432{AEE49BD1-126D-6139-B9D0-00000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551422Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:41.078{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3562E8C74A843823F8A2B1B042426BC2,SHA256=476F0AB3326214C5073560D4F2EC31E46058A4194B7C2CB58CC423A928F4C4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551434Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:42.981{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3ECCD99D698A46B696AC97CA04E49CC,SHA256=4DD42D52B9774D6F710259839CDD93B9E8A635FE144EAB92C64495242487CD84,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:42.107{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:42.107{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E6951141874C442D5FB80DD084A936,SHA256=339FC591F385B63DC744A73C97E20CDC53957E071902EA21F0CD0A9A44E6C6C7falsetrue 23542300x80000000000000001551433Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:42.449{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45ED689A62D0A76D9F8429A40D17C722,SHA256=6B0C08BDAE308DA741FE70D010348E91AC9E1B222E7B6B8226B0B488F90085DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551436Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:43.983{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05E78A2047A4A10A2397D19ACC40FA4,SHA256=D09E99795E446488982CF8D4698896A669A826CB0515818CACBB88B478699F41,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:43.403{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:43.403{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4B18491CD9B6939C7A1EE34A817C4707,SHA256=1F1809F80A34B8577B5C86D0BA2646218D9F17A5CA0C0F638BF909ED4B29A9BCfalsetrue 11241100x80000000000000005501857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:43.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:43.169{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9F7B7B130FDB3E5173EF7549A232B7,SHA256=1A8787DCB59D0F04BBEBFEC3A94CFAD04C55AB88432A3C8C9FABCBD8C6697F76falsetrue 23542300x80000000000000001551435Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:43.954{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7259MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:43.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:43.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DBDB16CF8211A8A5EC33E858BD46A1A,SHA256=19CE6568809868D6B2EDCFDFFF4BFDFF5BC992F55951924D5E09E32A7C64E43Bfalsetrue 11241100x80000000000000005501853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:43.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005501852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:43.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E7ED8E206CD5C241D14FC699403A9FA,SHA256=0D9CAF62172BA5AB2F2CAAD5631D49C3F9740131DFFA04D6885CC326FDA494C2falsetrue 23542300x80000000000000001551438Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:44.985{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52BEBD8BA6C3CED3C65995B5527BC737,SHA256=DB281AE6F07A4B5E28AD72E9D4B357635561AC060509E9A16A1756B93B41BC38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005501864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:44.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005501863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:44.232{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=00F5C926EF8EE7EFE0DDF993E81BF3D4,SHA256=FA886F815C996666E4DAF1DBDA33AA0CBB7D6C251F40AA61902DCFDDD53798C1falsetrue 11241100x80000000000000005501862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:44.185{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:44.185{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2DCDDAE9CBDBB76795F48CCAF3C634,SHA256=852BED146FEDC4217C34D30D98E1DE8545E25F2860F457F5F991E1D3B125F1B7falsetrue 23542300x80000000000000001551437Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:44.955{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7260MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005501860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:29.589{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49846-false10.0.1.12-8000- 11241100x80000000000000005501866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:45.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005501865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:45.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9732566CF6A5C929C9AF996319BC62,SHA256=BBF00C6302BACADBA035384D83428136D31667E9104F78B72A7B0770CBE7B162falsetrue 354300x80000000000000001551441Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:39.802{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61755-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551440Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:46.203{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F189E2EE1CC770618802AC46504F6AA,SHA256=545B8EA4E10E0F5142E17B18A61E3584E405471BC61C76177A1156388C8719A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551439Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:46.022{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D976DF3AB60C424CDCDA1D9B645329F,SHA256=97FFC63B0721E13C3301F5D00155A04E55C11657880694EEA21F0640C5FCEEA5,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005502282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.982{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x80000000000000005502281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.982{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=770C1528B78CC7B2BBF0AF74CEF0C201,SHA256=100514AA8D39939A9619BA454C25B570F35CFD864DC347B45F5F144CA47E7AB6trueMicrosoft WindowsValid 734700x80000000000000005502280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.982{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 11241100x80000000000000005502279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.982{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.982{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DBDB16CF8211A8A5EC33E858BD46A1A,SHA256=19CE6568809868D6B2EDCFDFFF4BFDFF5BC992F55951924D5E09E32A7C64E43Bfalsetrue 734700x80000000000000005502277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.982{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValid 734700x80000000000000005502276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.982{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=039F872B9E944D6588D144FE08B79A82,SHA256=6E9B077330E005F81EF80753673E873A0A73E55DBE50E586B52516D92EF0B6C7trueMicrosoft WindowsValid 734700x80000000000000005502275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.982{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x80000000000000005502274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.982{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ieframe.dll11.00.14393.4583 (rs1_release.210730-1850)Internet BrowserInternet ExplorerMicrosoft CorporationIEFRAME.DLLMD5=808D1FF9595090E003169ECCF5A01998,SHA256=F4211A12B2FA4DC0FBD6A302B8992047BC96A1E9E015D53205C42F909C87E95DtrueMicrosoft WindowsValid 734700x80000000000000005502273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.872{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x80000000000000005502272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.857{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x80000000000000005502271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.857{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x80000000000000005502270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.857{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 12241200x80000000000000005502269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.857{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000005502268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.857{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x80000000000000005502267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.841{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=3E0252D377C7905383A3780B13495CA9,SHA256=FD24AD22E174873DEDC5BB091A9E32CF2689063C5B18E79615B3B52081582FADtrueMicrosoft WindowsValid 734700x80000000000000005502266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.841{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValid 734700x80000000000000005502265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.825{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\Windows.Shell.ServiceHostBuilder.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Shell.ServiceHostBuilderMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Shell.ServiceHostBuilder.dllMD5=FA980AB8F03E094783137126D17E568C,SHA256=DADF71326270DBFE2D17A45D5C50A4FCB7A32ACECAB354299977FBB34135BE89trueMicrosoft WindowsValid 10341000x80000000000000005502264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.825{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005502263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FBEF9F1B67CDD8C0EDC3917E56B0D7,SHA256=33E7993E581DB83F6EB2C81ACAA372BEDD946B5FD9B75A811592BC9468E7C0CDfalsetrue 734700x80000000000000005502261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.825{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValid 10341000x80000000000000005502260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.810{4DF467A6-3F48-6132-1600-00000000F001}12487364C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.810{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.810{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x80000000000000005502257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.810{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x80000000000000005502256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.794{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000005502255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.794{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x80000000000000005502254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.778{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.StateRepository.dll10.0.14393.4169 (rs1_release.210107-1130)Windows StateRepository API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepository.dllMD5=8F4457905D80A520C684CA48F807C268,SHA256=623299C57C3148EB7B8EE0FE22F2E8A4C7A41712A87D43074E56643BEB84C06AtrueMicrosoft WindowsValid 734700x80000000000000005502253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.747{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x80000000000000005502252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.732{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 11241100x80000000000000005502251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.732{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.732{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EC4FAAEC32A5351953A424E8CF2B70,SHA256=676BF2C52D36B8A2DCF8739E71B8C728321D8811E2663180A5B29C3A6BDB1CC4falsetrue 734700x80000000000000005502249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.732{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\ClipSVC.dll10.0.14393.4169 (rs1_release.210107-1130)Client License ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationClipSVC.dllMD5=96D21C2596ACCF851D333CF78B56ACDB,SHA256=E356FF7A84952095B23AFD106F4A4C164EC31E652D4DE46E2F3B41151184A84DtrueMicrosoft WindowsValid 734700x80000000000000005502248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.716{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 12241200x80000000000000005502247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005502246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005502245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005502244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005502243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005502242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005502241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005502240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005502239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005502238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005502237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005502236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005502235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005502234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005502233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005502232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005502231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005502230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005502229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005502228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005502227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005502226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005502225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005502224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.716{4DF467A6-1272-6139-CED6-00000000F001}35966096C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.716{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 12241200x80000000000000005502222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.716{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005502221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.716{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2BtrueMicrosoft WindowsValid 734700x80000000000000005502220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.716{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638trueMicrosoft WindowsValid 734700x80000000000000005502219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.700{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005502218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.700{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 734700x80000000000000005502217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.700{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\mintdh.dll10.0.14393.0 (rs1_release.160715-1616)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmintdh.dllMD5=32254E75260F1CAE3AB9EAC044B344B7,SHA256=B714E3CDEB23E63894D62E9335F51E301A9093F263623CCEFA2F674AABE7D629trueMicrosoft WindowsValid 734700x80000000000000005502216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.700{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\tdh.dll10.0.14393.4283 (rs1_release.210303-1802)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationtdh.dllMD5=18D509F5788831270FCDA4D11E023E37,SHA256=08965C78D75432D1E1199E8162B3FB3FE11D89945B69BA48DE6F595FB280E52FtrueMicrosoft WindowsValid 734700x80000000000000005502215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.700{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\StateRepository.Core.dll10.0.14393.4169 (rs1_release.210107-1130)StateRepository CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationStateRepository.Core.dllMD5=94299201E0B602E4692F61C5A46E32D9,SHA256=D343410FB20D88B74BF661CACADBBD913034D02410A826A84D60B2B66A95A862trueMicrosoft WindowsValid 11241100x80000000000000005502214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.700{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.700{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CAA3258FC344F662763E53C8B1C670,SHA256=B891EF40A7A003D5FE1B71802C32DC2C8A51F57850EA2BBCB0192697EAD015DAfalsetrue 734700x80000000000000005502212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.685{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 734700x80000000000000005502211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.685{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 734700x80000000000000005502210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.685{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000005502209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.685{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000005502208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.685{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005502207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.685{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000005502206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.685{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005502205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.685{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005502204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.685{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005502203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.685{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000005502202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.685{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\AppXDeploymentServer.dll10.0.14393.4530 (rs1_release.210705-0736)AppX Deployment Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentServer.dllMD5=33FBA504974FC48036A4A9C5F57821AA,SHA256=9132BB8E3E11F28C95F9C6E3A6155F003B6089A943A62E7085859A9504C21897trueMicrosoft WindowsValid 10341000x80000000000000005502201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-3F46-6132-0A00-00000000F001}6207644C:\Windows\system32\services.exe{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005502198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005502197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005502196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005502195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005502194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005502193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005502192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005502191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005502190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005502189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005502188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005502187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005502185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7trueMicrosoft Windows PublisherValid 10341000x80000000000000005502184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005502183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.669{4DF467A6-3F46-6132-0A00-00000000F001}6207636C:\Windows\system32\services.exe{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005502182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.624{4DF467A6-1272-6139-CED6-00000000F001}3596C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k wsappxC:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000005502181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.607{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.607{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.607{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.607{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-3F46-6132-0A00-00000000F001}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.607{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\AppXDeploymentClient.dll10.0.14393.4169 (rs1_release.210107-1130)AppX Deployment Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentClient.dllMD5=CAB72C75488BEBBCE616BE92273067BC,SHA256=4C45D209A569E056CF52ED53968F926729DB1BF36043101A5798D47B421352C3trueMicrosoft WindowsValid 734700x80000000000000005502176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.607{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x80000000000000005502175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.607{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000005502174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.607{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000005502173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000005502172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000005502171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000005502170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x80000000000000005502169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x80000000000000005502168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000005502167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000005502166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x80000000000000005502165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000005502164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000005502163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x80000000000000005502162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000005502161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000005502160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x80000000000000005502159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000005502158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x80000000000000005502157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x80000000000000005502156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x80000000000000005502155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000005502154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x80000000000000005502153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000005502152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005502151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000005502150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005502149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005502147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000005502145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000005502144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x80000000000000005502143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005502142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949trueMicrosoft WindowsValid 10341000x80000000000000005502141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005502140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CBD6-00000000F001}58086940C:\Windows\SysWOW64\cmd.exe{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\SysWOW64\cmd.exe+ebb2|C:\Windows\SysWOW64\cmd.exe+69f6|C:\Windows\SysWOW64\cmd.exe+68fd|C:\Windows\SysWOW64\cmd.exe+c912|C:\Windows\SysWOW64\cmd.exe+c161|C:\Windows\SysWOW64\cmd.exe+10c43|C:\Windows\SysWOW64\cmd.exe+1499f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x80000000000000005502139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.595{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEc:\windows\system32\calc.exeC:\Users\Administrator\Documents\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=E5F11087E724759F5A52667D22485DF5,SHA256=3F2400274E4AE8B9B6B622A0571BBD96C293A708925549495A2FF1672964E949{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\calc.exe 734700x80000000000000005502138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.591{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 13241300x80000000000000005502137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005502136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000005502135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 10341000x80000000000000005502129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}962844C:\Windows\explorer.exe{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005502128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005502127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005502126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}962844C:\Windows\explorer.exe{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005502125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0562\VirtualDesktopBinary Data 12241200x80000000000000005502124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0562 10341000x80000000000000005502123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}962844C:\Windows\explorer.exe{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}962844C:\Windows\explorer.exe{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000005502116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.575{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x80000000000000005502115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-3F48-6132-1600-00000000F001}12487364C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000005502112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000005502111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005502110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000005502109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005502108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000005502107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000005502106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005502105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 10341000x80000000000000005502104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}22562712C:\Windows\system32\conhost.exe{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000005502102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005502101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.560{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000005502100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005502099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005502098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000005502097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005502096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005502095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005502094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005502093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005502092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005502091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005502090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005502089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4583 (rs1_release.210730-1850)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=2FB0A16E47FFDD4CBB3E80E58ECD8AE1,SHA256=943949336C9A3707F0A9FFD76A6D20278B6EE72513E8D193D04B27133C36B7C6trueMicrosoft WindowsValid 734700x80000000000000005502088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000005502087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000005502086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005502085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.544{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005502083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000005502082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.543{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system32\calc.exe 734700x80000000000000005502081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000005502080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005502079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000005502078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005502077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005502075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000005502073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000005502072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x80000000000000005502071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005502070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7FtrueMicrosoft WindowsValid 10341000x80000000000000005502069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005502068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CAD6-00000000F001}15802444C:\Windows\SysWOW64\rundll32.exe{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+159f9b(wow64)|C:\Windows\System32\KERNELBASE.dll+159c4c(wow64)|C:\Windows\AppPatch\AcLayers.DLL+1b887(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+43f7(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+41e1(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+2c37(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+1273(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+14d8(wow64)|c:\users\administrator\appdata\local\temp\docusign.cpl+15be(wow64)|C:\Windows\SYSTEM32\ntdll.dll+6ea4e(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3eea6(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52fcc(wow64) 154100x80000000000000005502067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.536{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c c:\windows\system32\calc.exeC:\Users\Administrator\Documents\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 c:\users\administrator\appdata\local\temp\docusign.cpl 734700x80000000000000005502066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Users\Administrator\AppData\Local\Temp\docusign.cpl-----MD5=187E6745C0647E05C6624831A40BDA1F,SHA256=28221016EF84D1B2D71C6450AB9DDF30C633C23810A7C7D134A97B41A9045F0Ffalse-Unavailable 734700x80000000000000005502065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x80000000000000005502064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.528{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 10341000x80000000000000005502063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.513{4DF467A6-3F48-6132-1600-00000000F001}12487364C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.513{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.513{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x80000000000000005502060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.513{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=BFCFB0177935E235B1FEBADE3694839D,SHA256=CD1F41DAC68DF0F1F87F18DA18FAE8EB5B4260DFA400BF5392367CB12C0BFF7EtrueMicrosoft WindowsValid 734700x80000000000000005502059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.497{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000005502058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.497{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=94C93F32B21EB2DA6AFF2C264B17E623,SHA256=4ABE629C6A2A44F35F205709FB004837871D6CD4F3C21F2F77432B2F98DAFC77trueMicrosoft WindowsValid 734700x80000000000000005502057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.497{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x80000000000000005502056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.497{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=A6D357B5D2E7F2465F6FA882AA821E28,SHA256=94E388860E6CF3C8A2B4DA25C23D8B54A88C49E6CB7664B8A164FFC2B9316E7AtrueMicrosoft WindowsValid 734700x80000000000000005502055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.497{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=0F1E9D98CC524190E9B045908E6BC1F6,SHA256=252B3BA71F9452011FA60B6C7655DE65C93EE02754F6B7AF08CBBAAE844CDEEBtrueMicrosoft WindowsValid 734700x80000000000000005502054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.497{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValid 734700x80000000000000005502053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.497{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=AA7C77E4D80A83624BACD72A0A22E374,SHA256=E6B8C76FA6163B808D6B797B1227622925E2E861B383FB132C6B3D6BA24D71E3trueMicrosoft WindowsValid 734700x80000000000000005502052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.466{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000005502051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.450{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x80000000000000005502050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.450{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000005502049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.450{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000005502048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.450{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000005502047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.450{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000005502046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.435{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x80000000000000005502045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.435{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000005502044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.435{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000005502043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.435{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x80000000000000005502042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.435{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000005502041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.435{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000005502040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.435{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x80000000000000005502039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.419{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000005502038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.419{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x80000000000000005502037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.403{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x80000000000000005502036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.357{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x80000000000000005502035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.357{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 11241100x80000000000000005502034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F79AE99DAA2A478F0E2A01AFB3752A3,SHA256=D576A2C0C7A0C20749A5169098A8EB6EF55844977C79F950E26EF07EE8A75FE9falsetrue 11241100x80000000000000005502032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.310{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFB4803752B624016AE109B06B6C96B,SHA256=CED19CB38FD76307F434721CF49ACE1D74FB487B5B324A9575A7CB5F8E75161Bfalsetrue 734700x80000000000000005502030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.200{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x80000000000000005502029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.185{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000005502028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.185{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000005502027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.185{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x80000000000000005502026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.169{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000005502025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.169{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\AppPatch\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=3662AA8F2034650E7C045F1BCA730DDC,SHA256=55FEF94CB7F703BEB70D199F749364219DAE1D13E915389E3F4A2A230B5EBEB6trueMicrosoft WindowsValid 734700x80000000000000005502024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.153{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x80000000000000005502023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.153{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000005502022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.138{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005502021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.138{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000005502020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.138{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005502019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.138{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.138{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005502017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.138{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.138{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000005502015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.122{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000005502014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.122{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 534500x80000000000000005502013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.122{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exe 734700x80000000000000005502012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.122{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005502011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.122{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02trueMicrosoft WindowsValid 734700x80000000000000005502010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 10341000x80000000000000005502009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-4446-6132-EC05-00000000F001}17644228C:\Windows\system32\csrss.exe{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005502008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}80725564C:\Windows\system32\rundll32.exe{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\Shell32.dll+2b55e2|C:\Windows\System32\Shell32.dll+2b584b|C:\Windows\System32\Shell32.dll+2b6af6|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005502007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.116{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 c:\users\administrator\appdata\local\temp\docusign.cplC:\Users\Administrator\Documents\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL c:\users\administrator\appdata\local\temp\docusign.cpl 734700x80000000000000005502006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000005502005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005502004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005502003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x80000000000000005502002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-3F48-6132-1600-00000000F001}12487364C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000005501999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000005501998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000005501997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005501996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005501995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005501994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005501993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005501992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000005501991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005501990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005501989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000005501988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000005501987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005501986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.107{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x80000000000000005501985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69trueMicrosoft WindowsValid 734700x80000000000000005501984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000005501983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005501982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005501981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005501980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005501979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005501978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005501977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005501976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005501975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667trueMicrosoft WindowsValid 734700x80000000000000005501974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValid 734700x80000000000000005501973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x80000000000000005501972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975EtrueMicrosoft WindowsValid 10341000x80000000000000005501971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-4446-6132-EC05-00000000F001}17645008C:\Windows\system32\csrss.exe{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005501970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}64165600C:\Windows\System32\control.exe{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+3c91c|C:\Windows\System32\SHELL32.dll+e2087|C:\Windows\System32\SHELL32.dll+e1fe5|C:\Windows\System32\control.exe+1f00|C:\Windows\System32\control.exe+1094|C:\Windows\System32\control.exe+14d7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005501969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.096{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL c:\users\administrator\appdata\local\temp\docusign.cplC:\Users\Administrator\Documents\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exe"C:\Windows\System32\control.exe"c:\users\administrator\appdata\local\temp\docusign.cpl 13241300x80000000000000005501968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000005501967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000005501966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000005501965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 13241300x80000000000000005501964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000005501963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000001) 13241300x80000000000000005501962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameDWORD (0x00000001) 13241300x80000000000000005501961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassDWORD (0x00000001) 10341000x80000000000000005501960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x80000000000000005501957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x80000000000000005501956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.091{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x80000000000000005501955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.060{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x80000000000000005501954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.060{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005501953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.060{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x80000000000000005501952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000005501951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005501950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005501949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005501948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000005501942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.044{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005501941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005501927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.044{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x80000000000000005501926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x80000000000000005501925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005501924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005501923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.044{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x80000000000000005501922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000005501921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000005501920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000005501919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000005501917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000005501903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000005501902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000005501901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000005501900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.044{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000005501899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.044{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005501898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.044{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005501897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.044{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000005501896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.044{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 10341000x80000000000000005501895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.044{4DF467A6-3F48-6132-1600-00000000F001}12487364C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005501894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005501893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000005501892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000005501891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000005501890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000005501889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005501888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000005501887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x80000000000000005501886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000005501885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x80000000000000005501884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005501883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005501882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005501881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000005501880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005501879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005501878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005501877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005501876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005501875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005501874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005501873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005501872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 12241200x80000000000000005501871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:46.028{4DF467A6-3F58-6132-2B00-00000000F001}2948C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000005501870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exeC:\Windows\System32\control.exe10.0.14393.0 (rs1_release.160715-1616)Windows Control PanelMicrosoft® Windows® Operating SystemMicrosoft CorporationCONTROL.EXEMD5=924219B426830FF7476AF7D22AE91DE1,SHA256=CB089C50698BEE280244437BCAF56D3955402A582E5E928DBC8812A5D9C0EF4DtrueMicrosoft WindowsValid 10341000x80000000000000005501869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005501868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.028{4DF467A6-1238-6139-BCD6-00000000F001}64446880C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d75ce|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d67fe|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d715a|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+cfd8e|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d09d7|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005501867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.030{4DF467A6-1272-6139-C8D6-00000000F001}6416C:\Windows\System32\control.exe10.0.14393.0 (rs1_release.160715-1616)Windows Control PanelMicrosoft® Windows® Operating SystemMicrosoft CorporationCONTROL.EXE"C:\Windows\System32\control.exe" c:\users\administrator\appdata\local\temp\docusign.cplC:\Users\Administrator\Documents\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=924219B426830FF7476AF7D22AE91DE1,SHA256=CB089C50698BEE280244437BCAF56D3955402A582E5E928DBC8812A5D9C0EF4D{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 11241100x80000000000000005502398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.413{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B921401061D3184C0A5C1CF98CACB1,SHA256=F3E8DCD93E3FCD9F94D73E39C0F2C774D7451BC03ED1D7026AE12AFF3C6D2719falsetrue 23542300x80000000000000001551442Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:47.043{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5CD66D730E4D9EABBD10B24127F1C7,SHA256=C5F4D15BF2532D7ED35BA4E03855EA9D87F42B8BABA9EE08F6055C71EB37C601,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005502396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=0C5492DFFA271BC1912BADFEBB497907,SHA256=536C445B9D489749547FAC1D0B01AF7F430BBFE31BCD2924E7DB3BFE66785452trueMicrosoft WindowsValid 10341000x80000000000000005502395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-4448-6132-F805-00000000F001}32924248C:\Windows\system32\taskhostw.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005502393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005502392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000005502391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}962844C:\Windows\explorer.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}962844C:\Windows\explorer.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005502386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005502385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005502384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}962844C:\Windows\explorer.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005502383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D04EA\VirtualDesktopBinary Data 12241200x80000000000000005502382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D04EA 10341000x80000000000000005502381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}962844C:\Windows\explorer.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.304{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005502376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005502375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.142{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4CC43D628C161C85C363CD84CC0BF14A,SHA256=752EF36CEFBEE18133343F35A7B012CB3A62415BE42F6C39A23EE4B021E5C631falsetrue 11241100x80000000000000005502374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-03 15:25:16.515 23542300x80000000000000005502373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=84BF2404930C6865359B5D16C56D3C69,SHA256=997CE2B15B9ADA574552FCC473566AA9E42225B1FA547CAC42A911466B847F9Cfalsetrue 734700x80000000000000005502372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.138{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 13241300x80000000000000005502371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.138{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc\Window_PlacementBinary Data 12241200x80000000000000005502370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.138{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005502369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.138{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005502368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.138{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 13241300x80000000000000005502367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.122{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0562\VirtualDesktopBinary Data 12241200x80000000000000005502366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.122{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0562 12241200x80000000000000005502365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.107{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005502364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.107{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 734700x80000000000000005502363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.107{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x80000000000000005502362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.107{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 10341000x80000000000000005502361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.107{4DF467A6-3F48-6132-1600-00000000F001}12487364C:\Windows\system32\svchost.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.107{4DF467A6-3F48-6132-1600-00000000F001}12481296C:\Windows\system32\svchost.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005502359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.107{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.107{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0936CCC0166958EF37C01C4766ED525,SHA256=E72DB2144F1B2EEA05D35CF41A111B80BAAD4DB7D805E403AC792DA9861A81CCfalsetrue 734700x80000000000000005502357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.091{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=31B320D99570E7D6FFE82CED32FD3863,SHA256=66782B6B23A96A8CA8D1B6EEACA4296683B90DB006015D00DBC4E3B8D51B5995trueMicrosoft WindowsValid 734700x80000000000000005502356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.075{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000005502355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.075{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_f676b148f252235c\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=97EE7292EC6BB81336C09BC99855D10C,SHA256=B1A4F56ADA2ECFF926B8786DE8D5C168C4254952CC35D440F06F928FCB037863trueMicrosoft WindowsValid 534500x80000000000000005502354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.075{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exe 13241300x80000000000000005502353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.075{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005502352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.075{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005502351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.075{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.075{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x80000000000000005502349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.075{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4trueMicrosoft WindowsValid 734700x80000000000000005502348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.075{4DF467A6-1272-6139-C9D6-00000000F001}8072C:\Windows\System32\rundll32.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005502347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.075{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539EDtrueMicrosoft WindowsValid 734700x80000000000000005502346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.075{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x80000000000000005502345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x80000000000000005502344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 534500x80000000000000005502343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exe 734700x80000000000000005502342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000005502341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x80000000000000005502340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000005502339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000005502338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000005502337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 534500x80000000000000005502336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1272-6139-CCD6-00000000F001}2256C:\Windows\System32\conhost.exe 734700x80000000000000005502335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x80000000000000005502334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x80000000000000005502333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000005502332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1272-6139-CAD6-00000000F001}1580C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x80000000000000005502331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 12241200x80000000000000005502330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:47.060{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0562 734700x80000000000000005502329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x80000000000000005502328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 13241300x80000000000000005502327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.060{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005502326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.060{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\pzq.rkrBinary Data 734700x80000000000000005502325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 10341000x80000000000000005502324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x80000000000000005502321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000005502320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 534500x80000000000000005502319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1272-6139-CBD6-00000000F001}5808C:\Windows\SysWOW64\cmd.exe 734700x80000000000000005502318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x80000000000000005502317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000005502316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x80000000000000005502315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x80000000000000005502314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x80000000000000005502313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000005502312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x80000000000000005502311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000005502310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005502309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000005502308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 534500x80000000000000005502307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exe 734700x80000000000000005502306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000005502304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000005502302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000005502301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x80000000000000005502300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x80000000000000005502299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.060{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings 12241200x80000000000000005502298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.060{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500_Classes\Local Settings 734700x80000000000000005502297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeC:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXEMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301trueMicrosoft WindowsValid 10341000x80000000000000005502296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-4446-6132-EC05-00000000F001}17644908C:\Windows\system32\csrss.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005502295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.060{4DF467A6-1272-6139-CDD6-00000000F001}15841828c:\windows\SysWOW64\calc.exe{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+110b0f(wow64)|C:\Windows\System32\windows.storage.dll+11082f(wow64)|C:\Windows\System32\windows.storage.dll+110577(wow64)|C:\Windows\System32\windows.storage.dll+111565(wow64)|C:\Windows\System32\windows.storage.dll+1103a1(wow64)|C:\Windows\System32\windows.storage.dll+11276a(wow64)|C:\Windows\System32\windows.storage.dll+112b67(wow64)|C:\Windows\System32\windows.storage.dll+112195(wow64)|C:\Windows\System32\windows.storage.dll+1b9a58(wow64)|C:\Windows\System32\windows.storage.dll+1b9895(wow64)|C:\Windows\System32\windows.storage.dll+1b98f8(wow64)|C:\Windows\System32\SHELL32.dll+173251(wow64) 154100x80000000000000005502294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.054{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\Administrator\Documents\ATTACKRANGE\Administrator{4DF467A6-4447-6132-0BC6-380000000000}0x38c60b2HighMD5=A20DCDBED017776C8B3D01A511A8DC46,SHA256=84173F0B3176F68428A88A6870AF6236F28FAEE117074FB36A0BCCCFB55EB301{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exec:\windows\system32\calc.exe 12241200x80000000000000005502293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:47.044{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 13241300x80000000000000005502292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.044{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000005502291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.044{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000005502290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:47.044{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x80000000000000005502289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.044{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x80000000000000005502288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.013{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=EFF42660D02B0F49C42F3DB6AC58B805,SHA256=A59C173A52B8298F675514F4DBAE262F2B487EFB0F47E43E4F18E05A7060187CtrueMicrosoft WindowsValid 10341000x80000000000000005502287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.013{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.013{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-1272-6139-CDD6-00000000F001}1584c:\windows\SysWOW64\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.013{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValid 734700x80000000000000005502284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:47.013{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValid 734700x80000000000000005502283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:46.997{4DF467A6-1272-6139-CDD6-00000000F001}1584C:\Windows\SysWOW64\calc.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 11241100x80000000000000005502404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:48.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:48.569{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CC8E17447C248232E201E645B9823AC0,SHA256=37B76AB66D02CB5296CC997FD25F28D3C2DBEA53EC22446C58CD8FC94C69DF9Bfalsetrue 11241100x80000000000000005502402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:48.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:48.554{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11862CCFF0F1B36F1AE362BB7F323E52,SHA256=F0BF5FED22A0CB58225698FAAB4434BF303424959A10B5ED019C90A9858E879Afalsetrue 23542300x80000000000000001551443Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:48.045{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB739C99FE90DABC31044314F0FC667,SHA256=F58502C175010CA72E0DA179AF3FCA8BBD27EE9D4D015D06FA888E268557B189,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:48.054{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:48.054{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC77A14E60A45669B42E632CA876C012,SHA256=84E6EF42875ED2228B1DE90A2320CEF33E3E229A2CADEA131EC13507E8ED1C62falsetrue 11241100x80000000000000005502426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:49.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:49.726{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757626D32C6423D44294A000F9FA991D,SHA256=856AB9487A79F6741B42556D88F669ADAA999DA3AAB7AA1861E0F1C40C5B3B70falsetrue 23542300x80000000000000001551444Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:49.047{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4336F3283350F2431F8DC282BD6E195F,SHA256=07C80BF70E68687C04146D4A1A80E64F4AD2FB22511EC0F5C61A334490015480,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:49.444{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005502423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:49.444{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005502422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:49.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:49.288{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8CA0CB8BCCDB84351ADF135FCCE2DA05,SHA256=9D204287B88ADBE5BB85E24D53F3A65028F375622E0101F0A01091E79858A574falsetrue 354300x80000000000000005502420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:34.746{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49847-false10.0.1.12-8000- 13241300x80000000000000005502419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:49.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D04EA\VirtualDesktopBinary Data 12241200x80000000000000005502418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:49.194{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D04EA 534500x80000000000000005502417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:49.147{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exe 13241300x80000000000000005502416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:49.132{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000005502415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:49.132{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000005502414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:49.132{4DF467A6-43FD-6136-8C7E-00000000F001}968104C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000005502413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:49.132{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D04EA 13241300x80000000000000005502412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:49.132{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005502411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:49.132{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\jva32pnyp.rkrBinary Data 10341000x80000000000000005502410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:49.132{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:49.132{4DF467A6-43FD-6136-8C7E-00000000F001}964068C:\Windows\explorer.exe{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000005502408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:49.132{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc\Window_PlacementBinary Data 12241200x80000000000000005502407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:49.132{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005502406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:49.132{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 12241200x80000000000000005502405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:49.132{4DF467A6-1273-6139-CFD6-00000000F001}6440C:\Windows\SysWOW64\win32calc.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Calc 11241100x80000000000000005502430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:50.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:50.757{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FAE134623F5E8EC0D74DB8F9473AC5,SHA256=BA0E18A13DF8685C50C71138D2A2E5588300655B48B7B43642AB68A6A2C59B61falsetrue 23542300x80000000000000001551445Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:50.050{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A7EBB6095F50EB338192787ECE7976,SHA256=031F1E0B7FEA114C99A1F04AB23D8073F41931FF3BEBD8449437B43717652876,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:50.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:50.163{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=153BE4B385FBC65F44EE6B015DC6F132,SHA256=439C548CC49C046D763DE212BC042176E067B6DFC1E1A8B737B879A47596A92Cfalsetrue 23542300x80000000000000001551446Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:51.052{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096AAD095282E0B0F77F1746801032EC,SHA256=937289032462F0F93B12A9F810DA917C53404E5430570D0FEAB5A97BA70C50B7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005502468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x80000000000000005502467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x80000000000000005502466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x80000000000000005502465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x80000000000000005502464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7a4e9) 13241300x80000000000000005502463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0xd9a4179a) 13241300x80000000000000005502462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7a4e9) 13241300x80000000000000005502461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0xd99366ff) 12241200x80000000000000005502460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x80000000000000005502459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x80000000000000005502458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x80000000000000005502457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x80000000000000005502456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x80000000000000005502455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x80000000000000005502454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x80000000000000005502453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-291 12241200x80000000000000005502452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000005502451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000005502450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x80000000000000005502449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-291$ 12241200x80000000000000005502448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x80000000000000005502447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x80000000000000005502446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x80000000000000005502445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:51.646{4DF467A6-3F46-6132-0B00-00000000F001}6361432C:\Windows\system32\lsass.exe{4DF467A6-3F3E-6132-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000005502444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x80000000000000005502443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.646{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000005502442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.537{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005502441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:43:51.537{4DF467A6-3F48-6132-1600-00000000F001}1248\lsassC:\Windows\system32\svchost.exe 12241200x80000000000000005502440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.537{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005502439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.537{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000005502438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.537{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-west-2.compute.internal 13241300x80000000000000005502437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:51.537{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-291.attackrange.local 12241200x80000000000000005502436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.537{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x80000000000000005502435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.537{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x80000000000000005502434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.537{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005502433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.537{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x80000000000000005502432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:51.537{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 354300x80000000000000005502431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:36.942{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49848-false10.0.1.12-8089- 354300x80000000000000001551450Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:45.831{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61756-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551449Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:52.235{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBFB85DD14AC1EAFD70F8DD51659E36D,SHA256=5E96BF01392250ADD599DF98C5D9D79F5E01FAFFC495F2A98C91D27DA29BACA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551448Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:52.234{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1011481C1BEC66976676C946DDF05E40,SHA256=9ED98C3313D044D6117B9441214448D43A5CCAEB7C043406E14C5434196AE3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551447Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:52.054{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD20E091289705021CEDD4335AA7EE9,SHA256=47ED6E68F9ED4C0AE306BD680D60AD43A439D0EF93BA00A3D78E9E67A5965E74,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005502508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000005502507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities2086 15,1074 15,2413 15,827 15,134 15,2402 15,129 15,1001 15,2159 10,103 15,2324 15,185 15,1000 15,121 15,2401 15,1445 15,1338 50,951 15,1338 10,999 15,226 15,1282 50,831 15,1282 10,1338 15,2430 15,1282 15,132 15,1128 15,2328 15,2087 15,850 15,998 15,1039 15,828 15,2323 15,108 15,829 15,2088 15,335 15,830 15,1255 15,974 15,1249 15,670 15,671 15,1002 15,111 15,332 15,669 15,291 15,1249 10,70 50,2327 15,120 15,184 15,2325 15,2326 15,2329 15,116 15,2403 15,2404 15,2405 15,1209 15,2406 15,334 15,2407 15,1221 15,2408 15,2409 15,2410 15,1443 15,2415 15,937 15,1204 15,2411 15,2412 15,2416 15,2424 15,159 15,109 15,2414 15,2417 15,2418 15,133 15,318 15,160 15,2419 15,114 15,107 15,2420 15,2421 15,131 15,2422 15,2423 15,104 15,102 15,2425 15,2426 15,2427 15,112 15,117 15,106 15,1444 15,115 15,118 15,101 15,2322 15,113 15,105 15,123 15,2428 15,2429 15,2431 15,2432 15,125 15,333 15,331 15,2225 15,336 15,128 15,124 15,100 15,2433 15,1007 15,110 15,2434 15,1446 15,2435 15,2436 15,122 15,1373 15,2437 15,127 15,119 15,1008 15,2438 15,969 15,2439 15,126 15,130 15,1584 50,2159 6 13241300x80000000000000005502506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,22561229,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000005502505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds019677900,24131419,34968335,8758344,17134338,20039442,18409363,21378256,40920709,19200086,19972417,51655840,17634580,18658649,18375312,23979203,18658648,17698823,17183040,19677907,34968340,18948503,18658650,17650967,21378211,18637650,18674530,9319450,17126295,18948102,21313610,18409416,18948101,36517339,17634578,18400089,36761792,21030802,21378249,20979747,34968342,34968338,50890251,34968337,34968339,24470607,8448079,6366290,38013077,34968341,7690258,34968589,36274763,17182941,24406167,20027008,17182979,20027009,9176926,23205313,7690254,5850584,8263521,17622912,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077,19200081,25036313 12241200x80000000000000005502504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000005502503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000005502502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000005502501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000005502500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000005502499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000005502498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000005502497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000005502496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000005502495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000005502494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000005502493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\2DWORD (0x00000000) 12241200x80000000000000005502492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000005502491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000005502490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000005502489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000005502488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000005502487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000005502486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000005502485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000005502484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000005502483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000005502482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000005502481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000005502480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000005502479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:52.802{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 354300x80000000000000005502478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:39.044{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-291.attackrange.local49850-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000005502477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:39.044{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49850-false10.0.1.14win-dc-291.attackrange.local389ldap 354300x80000000000000005502476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:39.037{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49849-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005502475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:39.037{4DF467A6-3F48-6132-1600-00000000F001}1248C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49849-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 13241300x80000000000000005502474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.146{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005502473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:52.146{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 11241100x80000000000000005502472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:52.115{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:52.115{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E92BEC273BBDB09681D780438264075,SHA256=AA08D14F6563FAFD1CA04BF657CE5CCCBA792BCAD48FD16A750CA5AE7AA3F56Afalsetrue 11241100x80000000000000005502470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:52.115{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:52.115{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B059DAB857A6BD4353266E34326611,SHA256=4DE6F528640B39BED51EFF7EA75BC659EAA921E81B0F6F549B086DE57E2084F3falsetrue 11241100x80000000000000005502549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:53.521{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:53.521{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CF58A1D2D7C5ABF1BBC6F3064D0FA300,SHA256=B46575EE7748BFE780F01D6F6B183721D1326D2572A2B535F3D1AE922362CC99falsetrue 354300x80000000000000005502547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:39.147{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49851-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 354300x80000000000000005502546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:39.147{4DF467A6-3F3E-6132-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49851-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local445microsoft-ds 11241100x80000000000000005502545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:53.271{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:53.271{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9717CECDC7A69231249097969982430,SHA256=402DB94F859669E9B9BB98F4E36169C5BA862D800A9E0C3B989A844239E53F1Afalsetrue 11241100x80000000000000005502543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:53.255{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:53.255{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1D38CD44DCF953B3B993A421392B86,SHA256=A41A6DC6EF5E615DC793105EDB8855D6742C940C566289930077A6E04E9454B2falsetrue 11241100x80000000000000005502541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:53.255{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:53.255{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161310C0AF8968CC070FD40179D66FE8,SHA256=F7E3C76B8042455AB2C8A814C445CA496F197DE4E723FF0C42DC94745CE3D4B2falsetrue 23542300x80000000000000001551451Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:53.056{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE131241BADDE9C4DD1412ACF78AEFD9,SHA256=DA669B41C353696A8A24697F49ED3351302CAAE9D8D2AF5BB3FAD2337DF5DFDB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005502539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000005502538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities2086 15,1074 15,2413 15,827 15,134 15,2402 15,129 15,1001 15,2159 10,103 15,2324 15,185 15,1000 15,121 15,2401 15,1445 15,1338 50,951 15,1338 10,999 15,226 15,1282 50,831 15,1282 10,1338 15,2430 15,1282 15,132 15,1128 15,2328 15,2087 15,850 15,998 15,1039 15,828 15,2323 15,108 15,829 15,2088 15,335 15,830 15,1255 15,974 15,1249 15,670 15,671 15,1002 15,111 15,332 15,669 15,291 15,1249 10,70 50,2327 15,120 15,184 15,2325 15,2326 15,2329 15,116 15,2403 15,2404 15,2405 15,1209 15,2406 15,334 15,2407 15,1221 15,2408 15,2409 15,2410 15,1443 15,2415 15,937 15,1204 15,2411 15,2412 15,2416 15,2424 15,159 15,109 15,2414 15,2417 15,2418 15,133 15,318 15,160 15,2419 15,114 15,107 15,2420 15,2421 15,131 15,2422 15,2423 15,104 15,102 15,2425 15,2426 15,2427 15,112 15,117 15,106 15,1444 15,115 15,118 15,101 15,2322 15,113 15,105 15,123 15,2428 15,2429 15,2431 15,2432 15,125 15,333 15,331 15,2225 15,336 15,128 15,124 15,100 15,2433 15,1007 15,110 15,2434 15,1446 15,2435 15,2436 15,122 15,1373 15,2437 15,127 15,119 15,1008 15,2438 15,969 15,2439 15,126 15,130 15,1584 50,2159 6 13241300x80000000000000005502537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,22561229,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000005502536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds019677900,24131419,34968335,8758344,17134338,20039442,18409363,21378256,40920709,19200086,19972417,51655840,17634580,18658649,18375312,23979203,18658648,17698823,17183040,19677907,34968340,18948503,18658650,17650967,21378211,18637650,18674530,9319450,17126295,18948102,21313610,18409416,18948101,36517339,17634578,18400089,36761792,21030802,21378249,20979747,34968342,34968338,50890251,34968337,34968339,24470607,8448079,6366290,38013077,34968341,7690258,34968589,36274763,17182941,24406167,20027008,17182979,20027009,9176926,23205313,7690254,5850584,8263521,17622912,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077,19200081,25036313 12241200x80000000000000005502535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000005502534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000005502533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000005502532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000005502531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000005502530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000005502529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000005502528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000005502527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000005502526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000005502525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000005502524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\2DWORD (0x00000000) 12241200x80000000000000005502523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000005502522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 13241300x80000000000000005502521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 12241200x80000000000000005502520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000005502519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000005502518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000005502517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000005502516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000005502515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000005502514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000005502513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000005502512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000005502511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000005502510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000005502509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:43:53.146{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\winword.exe_queriedQWORD (0x00000000-0x61391279) 22542200x80000000000000005502577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:40.285{4DF467A6-1238-6139-BCD6-00000000F001}6444nexusrules.officeapps.live.com0type: 5 prod.nexusrules.live.com.akadns.net;::ffff:52.109.12.18;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 11241100x80000000000000005502576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.662{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027202A6ED4D00225E495CD6AD951FC0,SHA256=EBACB7B2A85FA28FF0AE0BC6701CBF0C374D1F00D21C029F051ACEB06942E247falsetrue 354300x80000000000000005502574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:40.387{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-291.attackrange.local49853-false52.109.12.18-443https 354300x80000000000000005502573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:40.307{4DF467A6-3F58-6132-2600-00000000F001}2848C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local61866- 354300x80000000000000005502572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:39.753{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49852-false10.0.1.12-8000- 10341000x80000000000000005502571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005502552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.443{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551452Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:54.058{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D87E1BD9A655358A15B42B8612D650,SHA256=225A2923BD282D4339972444D90F8952343DED495C4B88A1AC6932A9EA973984,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.349{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:54.349{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D997A85B7A607B80687C25F032868AA9,SHA256=6B0154196A492187B52B9B99890EE9D82293CBB9A1A5C9652257751F3B2D3F5Efalsetrue 11241100x80000000000000005502579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:55.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:55.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46C98FE2DA5802DC01B0235DB5D93D9,SHA256=DD4516CADFA0031B3B788D08F9FC7614D2FFC8DA84F94EEBEF50777A4F7DACE9falsetrue 23542300x80000000000000001551453Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:55.061{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61A99674A7A7AD2B7344E502158DA06,SHA256=70D70CE2280740221A69A8409430341D8967668A0176390BDA643164DDB02CBF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:56.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:56.505{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E620ADB6689F592E3E12A7402F382AE8,SHA256=77483DE9B692CBAC767BDB8A886AD9A082084D5788A50F1325353CBE3D0294D2falsetrue 23542300x80000000000000001551454Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:56.063{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E892323E42245E4AAFFE064ADB842CE4,SHA256=26E4528D6B4261943E8B2731E54F8B920F0AFFFA6CE151EA72EEA792C5F22E4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:57.521{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:57.521{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84ABB11617E41A592209963F2C67703B,SHA256=82B03840BA994E428C26E9A93AD37C2D7565A07F2D4C62137D463ABA02163963falsetrue 23542300x80000000000000001551455Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:57.066{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5115A92BB95095A9D57CE97AE8B289D2,SHA256=F42FC596E72A03479E673B8E33A05B869786EB5AA0E434DC490DD88079730FD4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:58.724{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:58.724{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=21936585F1BCA22FCD273C829A1A6B1A,SHA256=CB3A221222BCF88149F56FF31F95930A9D5CD15B5833EB16B1D2E986D211155Cfalsetrue 11241100x80000000000000005502585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:58.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:58.708{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27016788FFD75BBABF1E018AA394FED9,SHA256=4262B8AF3B91E4B6EF3A5EEC924D8F754E86083F26B5F213986284EE4661A3C7falsetrue 23542300x80000000000000001551458Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:58.200{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11F7B6EA5E3E2EC8B8A16C2C1B4D246A,SHA256=61BD8ACC19D2C0EC3B5D7ED151A369ED7BAC5EB3A4EC80AB93DA8D11A6FD25F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551457Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:58.200{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBFB85DD14AC1EAFD70F8DD51659E36D,SHA256=5E96BF01392250ADD599DF98C5D9D79F5E01FAFFC495F2A98C91D27DA29BACA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551456Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:58.069{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AEE14D3A03AFF8E69CBF4A38283714,SHA256=7D03A637C3D24DA76D7E210B578B5586A593AD1B34CC8326927B2E61C8AA5681,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:59.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:59.740{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9AFE16220E36575383282F69D8F371,SHA256=26024624FD06E5D923550936CA826734C7DDBE55111E14BC4B05C86623360C86falsetrue 354300x80000000000000001551460Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:51.798{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61757-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551459Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:59.072{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6759EDD53E892F483E68AF1BE417FF,SHA256=6D0C905316A6E414136371BE575D1DF6E33960F91211A7FAD3360A3CC0FAF409,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:59.380{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:59.380{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6AAAF0AC272D5E5BF033DABEAA386823,SHA256=2C6BD33EE054671FC51FF442E93450077368343EAEE0AC4FDEF12FAEBB4C081Ffalsetrue 11241100x80000000000000005502591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:59.146{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:59.146{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDB3330AC41B0AFD2D63A96D644F5C98,SHA256=D700F0111343B9C4A45D4A8316B8B2C324856AB8845D19A33D3D337D969DEF19falsetrue 11241100x80000000000000005502589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:59.146{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:59.146{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BA77A88C5D74181D8A8BA844018276B,SHA256=7DC376B4949A6E4038D68907C57D83BE01B39A4747C8258C68BB0FAE576D9410falsetrue 11241100x80000000000000005502598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:00.771{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:00.771{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97642B79D6B6C330F8944F9318FA8A39,SHA256=9D7D87E4B04F65DA262142412C5D908BF88D5989DAA9134898218740EA125639falsetrue 354300x80000000000000005502596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:45.581{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49854-false10.0.1.12-8000- 23542300x80000000000000001551461Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:00.074{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E335B26AEEEA70F3CDD9028A3C8D01E,SHA256=3B9B8500CE331F11EA7E2B07C80F96B05B34EBDF61D82D3B8CA9FC33F4C66C79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:01.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:01.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591A01E4D93E55BDD1CA25617D1E5B94,SHA256=65D10D0316A3979D780A0D4864CDE09BB898EC9B17D88D4E325234D740269515falsetrue 13241300x80000000000000005502599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:01.115{4DF467A6-3F48-6132-1100-00000000F001}360C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7a4e9-0xdf48ec3d) 23542300x80000000000000001551462Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:01.076{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812DAE6E532360853B683054DFBCDF50,SHA256=238F74DDB9A0B0EEEB6A096A5B047FE221503751F54DA1CDB20D3AE486513B78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:02.849{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:02.849{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733536F2D0EF7B87E9CA405012AED989,SHA256=1D41F46BB301D45FBD241D5CCDF36A5DFE3E3E2BEFEA607F5ECE910532A33EBAfalsetrue 23542300x80000000000000001551463Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:02.079{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8214817E145CFEC039A9039189E799,SHA256=42117BB8DBE347837C64D87FDA80769EF2AF3C89012CABB1EC43B399EA9751F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:03.865{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:03.865{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE39E6C237E18E166169DE72D736853,SHA256=CF04AB831C74CFAE08E4617C03D3BB019D5DB72E88D4A18C654394A4F1B7942Ffalsetrue 11241100x80000000000000005502607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:03.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:03.818{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7EB26A530EF4FDAB8F723008F0EDF808,SHA256=C0DC7E5142AF82A47C1EEDE724680937268CE656E75B61A6FD42DEA832E46235falsetrue 11241100x80000000000000005502605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:03.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:03.802{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDB3330AC41B0AFD2D63A96D644F5C98,SHA256=D700F0111343B9C4A45D4A8316B8B2C324856AB8845D19A33D3D337D969DEF19falsetrue 23542300x80000000000000001551464Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:03.081{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7739034358559B29B1C8B742C514B5F8,SHA256=D11CE347C91F3A27AECCA18D85187C0514B7F259D2045C384EC336701689EEF1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:04.880{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:04.880{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2F7364452804CAF2CEAD81FC7EA040,SHA256=229D60FC0D482736ADFD502E070EF6E0AE429BDE701529348DC7C25B63DCEF88falsetrue 11241100x80000000000000005502611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:04.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:04.458{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E58ABAD29ED5F3C1E7B8EA38855A6F6F,SHA256=3652E7A1080B2873D9C417E4D94195DAF7B89159A9ACF878D5CED064E473D955falsetrue 23542300x80000000000000001551467Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:04.184{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AD2FA1F3EAE9011914438258F4F483A,SHA256=FDFB53461B2705AE7DB65C7E54B2AD63E8FE71A8BE19E3FB1618E55ED3892C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551466Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:04.184{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11F7B6EA5E3E2EC8B8A16C2C1B4D246A,SHA256=61BD8ACC19D2C0EC3B5D7ED151A369ED7BAC5EB3A4EC80AB93DA8D11A6FD25F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551465Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:04.083{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBAB9B12ADC0C7CB2A28EED7F2E0B24,SHA256=886A5D9501AE999A375D2CB5A400EF85ABC5026AC1C58A39B2358D3504B28DDC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:05.943{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:05.943{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE5732ADD0BC0FC8AD570569560323E,SHA256=1FEE4AD46D09C29C53722DA87CFFE6835A9769B6E1C4F7A0DA2CC137CEF5E5D3falsetrue 354300x80000000000000001551469Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:43:57.762{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61758-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551468Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:05.086{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305760BC757191209FD64B51D98D4469,SHA256=2FF2595BB4C315848073A89553D0B56095ED1C693848C6D2AF1ED1980582C573,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005502616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:51.581{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49855-false10.0.1.12-8000- 11241100x80000000000000005502615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:05.099{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:05.099{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9C7F0ABDB3B841947B8734F3E9EBB69,SHA256=D47BD0B26765AE2A8FA03F90C34453D2717948E52D01E2869850919279F7A059falsetrue 11241100x80000000000000005502620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:06.958{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:06.958{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1384C51149F0A9958B5D31F0B9B6D81,SHA256=0930D5325F821BBE618F8FEC3679F38C344106A2B929A2900D4CEF4CB8A1B1D6falsetrue 23542300x80000000000000001551471Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:06.620{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F1B18499363C441ECD1D2B2193FD1629,SHA256=901A56B85431CB9A48B0D3A0369062D5D3D86462CC554B5577DDEEBE22D142DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551470Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:06.104{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9348C60C979AE89745EE36326F83F6,SHA256=669853014DFBC5029D0D27764FE587D5785E4D6DB6C80C16F66BD45CE3A3D64C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:07.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:07.990{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8E9A56F1B4AD776AAE07D2F3F172A2,SHA256=1FD78D300E098A41F166EBED32B2FFF35C41AA073898B150AA42486E7ED61D29falsetrue 23542300x80000000000000001551472Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:07.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C7381875E65536317895B346068E97,SHA256=A338853A0926C4E97F10A406C37E0E353FA0B1EB3CD2C36FB2F5649FB7407249,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:07.005{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:07.005{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A149E74966ED4BBC7DF9FA781C3D8668,SHA256=2A22392C1DB73E06756D53AF2EE89A0108890805C0DD2957A12A30FC63FB8DAFfalsetrue 23542300x80000000000000001551473Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:08.108{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0905DC6EBE4F1BB7E1D0B84D310EC627,SHA256=D6FC4A6533D093D95F2A921617D3BE5ABCC6ACEDF0CBEC5A6AF651866427B62B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:08.677{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:08.677{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B19E14E5831B5F0653B88AF9D22CE4BE,SHA256=1466F3260BF3258A3AD777F811935D618BB52CEFE3C0686BE8FDA87A915E80F5falsetrue 23542300x80000000000000001551474Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:09.111{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DE75F3E8A2A3677415AF307E308510,SHA256=222AE527F0C20F4AAA662C19EBE87D4DBCEB8CFBF7ABB574D10E78BBD5510782,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:09.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:09.474{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4FD9A23EBFE03F872C62209433006F52,SHA256=36DE71C211DC2DCE595B0DCBA1DEA9B3384BA328C1631B70D9E9C599AACD6F31falsetrue 11241100x80000000000000005502628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:09.021{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:09.021{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91661911A39AB8D9E35EB50368FDFDD7,SHA256=EB7A828ABF04169045057A4F398829B385EB3FDF179E8C9C11782FCE4D5264D6falsetrue 23542300x80000000000000001551477Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:10.197{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5223061EB2A8415CA1141F6362891B9,SHA256=864B268AC778DD9DC29646D1E51505320A44A2435BAFDD79326A70562FB935EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551476Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:10.197{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AD2FA1F3EAE9011914438258F4F483A,SHA256=FDFB53461B2705AE7DB65C7E54B2AD63E8FE71A8BE19E3FB1618E55ED3892C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551475Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:10.112{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2604D2BA754529E11148517E51DC2236,SHA256=5213547FD4E8CA81574D788E5E79EC02108D213ED2A5043D1EE00C2BB8F26BC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:10.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:10.130{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C1E87C29F1E82C55630F8297BEEBC13,SHA256=E39FBB0C2AF88EA24D24501658196C0CC8322FF7D0B602C6CB14DEB2F86E5531falsetrue 11241100x80000000000000005502632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:10.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:10.037{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7043FAE6AC1345003F9309823BC3F00,SHA256=F025D17DD6CC4EC28307E2D7DC9004A1A69F5414B21F99147145F51A6A32C122falsetrue 354300x80000000000000001551479Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:03.758{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61759-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551478Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:11.115{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92193A82E776AFFFAF478476935EBD4C,SHA256=CEF0286460618FAF51DB4856EE10C4499F854234FE99A2DAC2D7EE573BDE6018,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:11.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:11.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E61382179070D275EDCC99267D681CF2,SHA256=B10BCBA06EEA4742E143458F07D27B69050DB904D8BCD114F43C31E884F6AB93falsetrue 354300x80000000000000005502639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:56.597{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49856-false10.0.1.12-8000- 12241200x80000000000000005502638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:11.291{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005502637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:11.291{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005502636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:11.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:11.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C3A52481DECC2FA7EC34CFADADFF43,SHA256=B81B6C84F00EB553707FCE39DBF23203F5E18FE038D47D97E1FE521B7E58B6A6falsetrue 11241100x80000000000000005502643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:12.119{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:12.119{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984268ED8723F68A589180D23CAC4D3C,SHA256=15663C374BFF0DC67141194570566D5ECCDE285C675C881C1CCA247AE3A6A873falsetrue 23542300x80000000000000001551480Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:12.117{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A1EDAC6620CC715A8749A7947616FC,SHA256=9CB1BEB7D63B0FA0BE1CB6CBF252EE8F1F91BF3040F90A4291B63F87DEAEB01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551481Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:13.120{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF272C8EC49EFF41FF0E3BCCCAC95CA2,SHA256=1FADFD65494C92DB43820D574B0337C7101BA56DCC0EF4EA8ACD277C27149AC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:13.916{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:13.916{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F3CE9AC69C5437430D048B28256AE73,SHA256=054B41F44246517CDB0B3CBB1EC43F5CD4C9A98485FF0707D508770BCC6B6426falsetrue 11241100x80000000000000005502647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:13.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:13.134{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1AFB7208EB5226BFC1BF5F3DD3111DB,SHA256=D9EAE635D66FE108307330803643E09BE26EB839D46742483B265F28767E5E48falsetrue 354300x80000000000000005502645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:58.788{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49857-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005502644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:43:58.788{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49857-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 23542300x80000000000000001551483Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:14.891{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551482Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:14.123{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E6AAEE681C6ABE7D898A364FFB27F1,SHA256=CC3E8A8C0EEA5D4F60C259312C6CAE752D3AD8061EC3C3E6268026AEBADF780D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:14.509{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:14.509{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DB17BDFD140DF28F555ECE2CA09B903C,SHA256=83D963A0D227736F06D70A0170CB45F9165F030B631D1EC7715B9DAE450E044Efalsetrue 11241100x80000000000000005502651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:14.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:14.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E153E1A905879D5AA21F59CAD57AB7A,SHA256=A5C45BFCA58AB0DD0A42255EA9C4D6EDFCEB2E9FE4D5514A7C109344A0705436falsetrue 11241100x80000000000000005502657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:15.244{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:15.244{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F027D7446AACE7A49A729FACA7741E01,SHA256=18C88E535772BFB710D4B15A4A76DF3B4D5A3686B8F076479B3F0ADC0B7D3C7Ffalsetrue 23542300x80000000000000001551486Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:15.872{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5C075A4BA5B27789699B8B71079F6F5,SHA256=3634D2036E1394886DF56D9E322D1DD3790C067987AC22B0925B6A44E60BAB5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551485Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:15.872{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5223061EB2A8415CA1141F6362891B9,SHA256=864B268AC778DD9DC29646D1E51505320A44A2435BAFDD79326A70562FB935EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551484Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:15.124{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5F4F3563D509AA397D36DE7C2B3F8A,SHA256=743D100F69F659F1E5BEFAC58647877A2FD5418EA2E901781C35A08418A18299,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:15.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:15.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EF6BDFC3DA587E5F4F27FDF40AFD0E5,SHA256=99F688F7ECE5BF2F889101A87F5D9E009D27FF9C5E54396DFC7FB8D2B5B55D2Bfalsetrue 354300x80000000000000005502660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:01.679{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49858-false10.0.1.12-8000- 11241100x80000000000000005502659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:16.259{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:16.259{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BCFAD486D7D795FFD510CDD024AF08,SHA256=9AC4BB509D64FC4865E74DE19D8DA4F22B3985F7924AD55C3A777C92376B647Ffalsetrue 10341000x80000000000000001551497Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:16.858{AEE49BD1-1290-6139-BAD0-00000000F101}51644560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551496Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:16.743{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1290-6139-BAD0-00000000F101}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551495Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:16.743{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551494Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:16.743{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551493Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:16.743{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551492Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:16.743{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551491Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:16.743{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-1290-6139-BAD0-00000000F101}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551490Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:16.743{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1290-6139-BAD0-00000000F101}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551489Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:16.728{AEE49BD1-1290-6139-BAD0-00000000F101}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001551488Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:09.472{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61760-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001551487Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:16.126{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD7F333EB786D698257B86CBF4610D5,SHA256=4CE2AAEDF3F4C5A5F462EDC80BB5380520878F7085341A94FFF59B15720BE42E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:17.431{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:17.431{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E981ED9D3B701C93AFB5AA3EBC741E8,SHA256=15E9E255F53F3BEF5DAA3E80FA35CD94E2A75B88BB780C91E5783ABA745791C4falsetrue 10341000x80000000000000001551516Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.875{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1291-6139-BCD0-00000000F101}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551515Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.875{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551514Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.875{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551513Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.875{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551512Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.875{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551511Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.875{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1291-6139-BCD0-00000000F101}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551510Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.875{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1291-6139-BCD0-00000000F101}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551509Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.860{AEE49BD1-1291-6139-BCD0-00000000F101}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551508Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.744{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5C075A4BA5B27789699B8B71079F6F5,SHA256=3634D2036E1394886DF56D9E322D1DD3790C067987AC22B0925B6A44E60BAB5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551507Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:09.690{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61761-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001551506Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.275{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1291-6139-BBD0-00000000F101}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551505Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.275{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551504Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.275{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551503Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.275{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551502Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.275{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551501Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.275{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1291-6139-BBD0-00000000F101}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551500Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.275{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1291-6139-BBD0-00000000F101}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551499Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.260{AEE49BD1-1291-6139-BBD0-00000000F101}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551498Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:17.128{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429655F8F769DE9E8E8647ECD38BFFCF,SHA256=1BD6CEB8ACA3ADA01EF99ECA78800A257705429A58873782C584549E57806915,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:18.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:18.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=194B10AAA8640FFE6A2974DE1630CB34,SHA256=1A165C047C803AFC1F6C47E48E28233A87E9831DDDD9524D987D594182036F86falsetrue 11241100x80000000000000005502664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:18.556{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:18.556{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF81A79143F138D7302B0F46F2E8007,SHA256=F6A2A7C3D1E3DE284B89F3963381C4015D85F9603A8F3AD9254863E062E11761falsetrue 23542300x80000000000000001551518Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:18.877{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D073513B7486B6F32F2E1CC5FBC26E71,SHA256=EF933EE1A9556A0771267C96F6317EF15EEA8BF6D49F369F56400A7A415DAB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551517Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:18.129{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447C7F3C4571C4983238F97028AFA0C4,SHA256=03ED3BC9CEF8538806EF401E248E6ADAA7712832605400C3EC0A91D4E1CE6153,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.884{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000005502725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.884{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005502724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.884{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EA9017D9BB96BD686C480DAE63C602,SHA256=9EEF136216DFFAAF7792E279CDBF6B2A4A668E3612AD1701DFB3044E4436BFF7falsetrue 23542300x80000000000000005502723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.884{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7137B46FF8103CED170B7A1FC531708B,SHA256=EA844BC4791D6C50D38FE8412097E62555A946D34F2F1795336E8A8453E575E5falsetrue 534500x80000000000000005502722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.588{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005502721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.588{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005502720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.588{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005502719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.588{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001551519Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:19.131{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7884DFCAC9D9839F4401B734BDD7AFF6,SHA256=EFE4762CD8B213EDE54D29BCCF483137FC2865AE22E64CA094C15844A4CE6E36,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005502718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.478{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005502717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.478{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005502716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.478{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005502715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:19.478{4DF467A6-1293-6139-D0D6-00000000F001}7872\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005502714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.478{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005502713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:19.478{4DF467A6-1293-6139-D0D6-00000000F001}7872\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005502712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.478{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005502711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.478{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005502710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.478{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005502709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.478{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005502708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005502707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005502706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005502705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005502704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005502703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005502702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005502701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005502700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005502699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005502698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005502697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005502696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005502695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005502694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005502693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005502692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005502691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005502690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005502689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005502688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005502687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005502686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005502685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005502684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005502683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005502682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005502681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005502680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005502678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005502676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005502675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005502674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.463{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005502673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.448{4DF467A6-1293-6139-D0D6-00000000F001}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005502672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:19.447{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:19.447{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:19.447{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:19.447{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:19.447{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:19.447{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 734700x80000000000000005502839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.963{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005502838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.963{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005502837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005502836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005502835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005502834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005502833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005502832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005502831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005502830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005502829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005502828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005502827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005502826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005502825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005502824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005502823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005502822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005502821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005502820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005502819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005502818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005502817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005502816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005502815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005502814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005502813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005502812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005502811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005502810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005502809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005502808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005502807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005502806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005502805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005502804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005502803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005502802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005502800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005502798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005502797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.947{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005502796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.931{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005502795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.932{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005502794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:20.931{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:20.931{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:20.931{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:20.931{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:20.931{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:20.931{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005502788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.744{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F9020309BADE6711274FE8382C2DE9,SHA256=A3FF68E8C8D11E040A62B03804795F3F4C0902461A9E3B06DDDA3B45110CFD38falsetrue 23542300x80000000000000001551520Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:20.133{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39BC69058DE44F36387089CCEFF6BC6,SHA256=5ADBEA10A573993F338EB698F96CF45610CF49B40DC4CD95FA23B8E700FC5A6A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005502786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.478{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.478{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=543357D2638C40F49DBF426315610C41,SHA256=82EC57FF089F5B31C0A1A19658CBCB588913E3D8A739EFADA210D855A9F0215Bfalsetrue 11241100x80000000000000005502784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.478{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.478{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9893E2C33B19EF76EE4B1A6854180152,SHA256=24F2C9995EF283CC21A5CBCC377228B8D717F7F52BEB5444704E82ACD5F572ACfalsetrue 534500x80000000000000005502782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.431{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005502781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.431{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005502780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.431{4DF467A6-1294-6139-D1D6-00000000F001}62161856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.431{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005502778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.416{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005502777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.306{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005502776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.306{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005502775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.306{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005502774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:20.306{4DF467A6-1294-6139-D1D6-00000000F001}6216\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005502773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.306{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005502772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:20.306{4DF467A6-1294-6139-D1D6-00000000F001}6216\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005502771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.306{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005502770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.306{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005502769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.306{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005502768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.306{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005502767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.306{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005502766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.291{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005502765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.291{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005502764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.291{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005502763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.291{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005502762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.291{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005502761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.275{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005502760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.275{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005502759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.275{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005502758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.275{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005502757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.275{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005502756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.275{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005502755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.275{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005502754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005502753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005502752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005502751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005502750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005502749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005502748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005502747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005502746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005502745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005502744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005502743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005502742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005502741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005502740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005502738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005502736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005502735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005502734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.259{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005502733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:20.135{4DF467A6-1294-6139-D1D6-00000000F001}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005502732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:20.134{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:20.134{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:20.134{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:20.134{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:20.134{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:20.134{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005502907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.994{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005502906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.994{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=543357D2638C40F49DBF426315610C41,SHA256=82EC57FF089F5B31C0A1A19658CBCB588913E3D8A739EFADA210D855A9F0215Bfalsetrue 11241100x80000000000000005502905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183B130E229A408FCFF9568B1BC06091,SHA256=DC203F00545B54561DCB1AD866380A4DB42694A345BFCC1531044521431F6FEFfalsetrue 11241100x80000000000000005502903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005502902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.963{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240F602C203500423031CD04220E6E39,SHA256=212238B8F997E87558222902FE66FA415C0FB0262C3DA2950969736619CF9ABAfalsetrue 23542300x80000000000000001551521Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:21.136{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEFF7E1F0FE84235ACC3674CE43829F,SHA256=6CA31B8DEF6425597191447B434D5CD9E5E70BCE9C1D7346CCCEEFC84E27188B,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005502901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.728{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005502900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.728{4DF467A6-1295-6139-D3D6-00000000F001}62526680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.728{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005502898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.728{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 534500x80000000000000005502897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.650{4DF467A6-123A-6139-BDD6-00000000F001}7756C:\Windows\System32\wbem\WmiPrvSE.exe 734700x80000000000000005502896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005502895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005502894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005502893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005502892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005502891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005502890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005502889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005502888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005502887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005502886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005502885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005502884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005502883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005502882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005502881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005502880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005502879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005502878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005502877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005502876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005502875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005502874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005502873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005502872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005502871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005502870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.603{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005502869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005502868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005502867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005502866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005502865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005502864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005502863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005502862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005502861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005502860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005502859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005502858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005502856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005502854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005502853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005502852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.588{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005502851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.463{4DF467A6-1295-6139-D3D6-00000000F001}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005502850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:21.463{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:21.463{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:21.463{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:21.463{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:21.463{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:21.463{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005502844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.072{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005502843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.072{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005502842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.072{4DF467A6-1294-6139-D2D6-00000000F001}74325904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.072{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005502840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:21.072{4DF467A6-1294-6139-D2D6-00000000F001}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001551523Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:22.138{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1688340EDD765802CE6558FD622E4A9,SHA256=70EE1411229630F4EF62D3E14F628AB87B4A84A4783951E4C4488A3CA118AF17,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005502965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.525{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005502964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.525{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005502963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.525{4DF467A6-1296-6139-D4D6-00000000F001}78562984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.509{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005502961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.509{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005502960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005502959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005502958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005502957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005502956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005502955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005502954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005502953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005502952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005502951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005502950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005502949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005502948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005502947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005502946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005502945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005502944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005502943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005502942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005502941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.400{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005502940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005502939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005502938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005502937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005502936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005502935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005502934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005502933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005502932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005502931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005502930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005502929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005502928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005502927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005502926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005502925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005502924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005502923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005502922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005502920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005502918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005502917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005502916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.384{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005502915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:22.260{4DF467A6-1296-6139-D4D6-00000000F001}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005502914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:22.259{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:22.259{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:22.259{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:22.259{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:22.259{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:22.259{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000005502908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:07.569{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49859-false10.0.1.12-8000- 23542300x80000000000000001551522Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:22.102{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48AA4AEE48F05CA254A5F2E6207C1300,SHA256=0ED99F720346FC6D42BD72574ADFEBD63AB9476C0E19F0D3112C760819F2DEC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551525Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:15.652{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61762-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551524Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:23.141{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54DF437A546D0481E7F8EC6440DF45AA,SHA256=76F96744FC02F59CAABBC55B00BC28F1F5C55931F46DA6BEA1543EE4AE82A3AB,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005503063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005503062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005503061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005503060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005503059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005503058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005503057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005503056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005503055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005503054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005503053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005503052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005503051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005503050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005503049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005503048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005503047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005503046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.978{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005503045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.978{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005503044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.978{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005503043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.978{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.978{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005503041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.978{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005503040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.978{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005503039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.978{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005503038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.978{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005503037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.978{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005503036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.854{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005503035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:23.853{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:23.853{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:23.853{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:23.853{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:23.853{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:23.853{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005503029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.322{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005503028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.322{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005503027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.322{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005503026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.322{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005503025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.275{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.275{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6B45E3A3849FAB5B386F75D216EA96C,SHA256=1D0498C58A82488274284778107CC9AF13DA1C6FFFF29901EF69310B48E800CDfalsetrue 734700x80000000000000005503023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005503022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005503021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005503020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005503019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005503018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005503017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005503016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005503015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005503014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005503013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005503012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005503011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005503010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005503009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005503008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005503007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005503006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005503005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005503004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005503003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005503002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005503001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005503000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005502999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005502998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005502997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005502996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005502995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005502994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005502993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005502992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005502991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005502990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005502989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005502988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005502987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005502986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.197{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005502985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005502984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005502983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 11241100x80000000000000005502982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 734700x80000000000000005502981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 23542300x80000000000000005502980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF516B311967D6CC50ACF909733D1D43,SHA256=0A9902E80269288623D2384D2FB26FE38B51AF5F33C88B913DCEDA7F01EE9B8Cfalsetrue 10341000x80000000000000005502979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005502978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005502977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005502976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005502975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005502974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005502973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.181{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005502972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.057{4DF467A6-1297-6139-D5D6-00000000F001}8068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005502971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:23.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:23.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:23.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:23.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005502967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:23.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005502966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:44:23.056{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001551526Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:24.144{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3073716C9037D0B26FAB9348A3E83208,SHA256=D7F30925326D5A39904FE26C13B1BFD741EE74685F162F965C181D3442EDC804,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.634{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.634{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=61DC5D0C3F5836EE8AA9E4DEE7B5987B,SHA256=E208C19906E98FE5091E8820DBEFDE3E02DBCD474129858A989A554C74746B0Bfalsetrue 11241100x80000000000000005503093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.338{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DF1CF7D06C9B024ACED465096C1EE67,SHA256=DAF58AE65AA82D34534C26DC07F67BD5018DC06B64DA48BFD824B9AAB5A5CA87falsetrue 534500x80000000000000005503091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.134{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005503090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.134{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005503089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.134{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005503088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.134{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005503087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.088{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC80500348676916D3F34C4EE5A0B7D7,SHA256=689EEE3C0BC37EA5B59964D5BF6A3D773538417A3EA650993530FF802BA09746falsetrue 11241100x80000000000000005503085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.041{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68BD806D5583D572CCE1D108C7B9900,SHA256=752CB268A37D56B6EF3CEBD198779E57145302331634C0442947063A97F285FBfalsetrue 11241100x80000000000000005503083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.009{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.009{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=67D573E7C41268A773AE9A229F76482F,SHA256=7C78907C734CCB95FABD5BC1D4D2924FB7D2CCC365F444839C43BEC0143D973Dfalsetrue 734700x80000000000000005503081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.009{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005503080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.009{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005503079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.009{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005503078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:24.009{4DF467A6-1297-6139-D6D6-00000000F001}5312\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005503077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.009{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005503076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:44:24.009{4DF467A6-1297-6139-D6D6-00000000F001}5312\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005503075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.009{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005503074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.009{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005503073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.009{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005503072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005503071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005503070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005503069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005503068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005503067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005503066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005503065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005503064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:23.994{4DF467A6-1297-6139-D6D6-00000000F001}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 23542300x80000000000000001551527Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:25.147{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D47D46CC14AE710212B309C69C7E651,SHA256=01E9971F0919EE98F0A8826D119E8351772A56871D048A4BDB9D48E4E077C24F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:25.150{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:25.150{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDE80FF821F2A892349391A75F534D2,SHA256=1763122604E01A0C7D24B6E098A9C28BFB140A7C4F15B761D36A85C1A46A1CC8falsetrue 23542300x80000000000000001551528Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:26.149{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45953F102A51843F698BF9B80251EFC9,SHA256=51D8FC0925230FFF35A45958C5524CE5142B41E268FAB4E508B1214D869B4782,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:26.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:26.166{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3340569FCE7C687322AAC1CC65717710,SHA256=2AD1586E61281E61F7D9DC64F89EF93DED6651936F9848987B0D29B4A3009345falsetrue 354300x80000000000000001551532Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:20.812{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61763-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551531Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:27.218{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5980395A13D2A1F5BE35EEBB4AF185E,SHA256=753F63890E3FAE699792D9616E1D598999352C2A2075C1A3D7670A4F2187075D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551530Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:27.217{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13F3FE7AA4AD115DD667E5A58B7945C4,SHA256=8CBDF7F3F80CBB3981299C6D8CF6EC78A00E4A7C28D49554988C9D267BBA3F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551529Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:27.152{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515D3C2884D1EE986131D840EA9279F0,SHA256=4F729D7CFC355F38304CC5EC167656A847047B3F78176AEC322B652CE3E69C2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:13.600{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49860-false10.0.1.12-8000- 11241100x80000000000000005503103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:27.181{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:27.181{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B647ECCFA2D345DB1D7055CF126492B0,SHA256=9A955A3AFD8BC1D0DADCF1B76D603671E5973B57A60505F5A9F21D3B6FE23716falsetrue 11241100x80000000000000005503101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:27.009{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:27.009{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE632624825FCE83C58D08788C4B272B,SHA256=538EC33A75C0E38522A5C19AC025243436FD66B30E1AEE001494845FEC1AF19Dfalsetrue 23542300x80000000000000001551533Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:28.155{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CFEB2AA82AE44A150B18B342415CD1,SHA256=713CA84B9DEDEC520DE1C4BF26F7169282F18FAF09CD7DE71189A98B1BD7C9FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:28.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:28.978{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6A6EBC5380E00883DAECFBC28DE827D7,SHA256=5DE9AB639753CF6019A6499CEA4A4C5894BD6C8CD9A47ECF3471D53AD3471982falsetrue 11241100x80000000000000005503106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:28.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:28.213{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D421683239F8453E932856818112A8C3,SHA256=07D698A613F70A23D744AFAAA2F8733F969956C86F4107A64D74CCEE7D81071Afalsetrue 11241100x80000000000000005503112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:29.681{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:29.681{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAE28C3D5CEFDBD5977725EF3B8E922B,SHA256=BD609834CCAB3BACC0B804E7FBF353E154C55BC9DD9E8281D38146C31DB74017falsetrue 11241100x80000000000000005503110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:29.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:29.228{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D307A90822EEC4952578618377838D,SHA256=A3148DA3978B561469FBE33901181FD76B0F3C89D62EAC43083783DC8683B825falsetrue 23542300x80000000000000001551534Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:29.158{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFE9BF357BF6FAD51FE5738DB93B149,SHA256=BB64DF72E813D66A9C5980582C0EAD142C9EA293A72B09F30CF6D07DCB938124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551535Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:30.160{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2CB966A283C824D8C7D69044275499,SHA256=663E00086E97B2E171881FD0A36DACF39A828B07379C9F22391B4E87CA4D620A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005503117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:30.419{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7269MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005503116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:30.418{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-72692021-09-08 19:44:30.417 11241100x80000000000000005503115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:30.417{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-72702021-09-08 19:44:30.417 11241100x80000000000000005503114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:30.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:30.339{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D86D9F2630308F23C04DDE1FAF464B,SHA256=A4FAB9152B94666F2BCA0A749B3FE5F285B6A3CDE405DD3C9B01756C363B120Dfalsetrue 23542300x80000000000000005503122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:31.419{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7270MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x80000000000000005503121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:31.340{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:31.340{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8C7BAE46486AEBCF85353A3ED46768,SHA256=DA6656FB3A922ED0B1188F71D47CACF965B3D50D85A57CB9FF71FC9BCC01197Efalsetrue 10341000x80000000000000001551545Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:31.732{AEE49BD1-129F-6139-BDD0-00000000F101}4672292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551544Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:31.610{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-129F-6139-BDD0-00000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551543Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:31.610{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551542Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:31.610{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551541Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:31.610{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551540Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:31.610{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551539Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:31.610{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-129F-6139-BDD0-00000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551538Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:31.610{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-129F-6139-BDD0-00000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551537Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:31.595{AEE49BD1-129F-6139-BDD0-00000000F101}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551536Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:31.163{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F953718811C665C180714A3745F426,SHA256=82267D2AC90D08DF0BAB0E528290170790A0CDDFA538224AFA59A521DFA88332,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:31.012{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005503118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:31.012{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=15C0DBD066BF2252D9A2760F850FD216,SHA256=B4F4ECC7B8D3C7B21546C6E8F67F03AA6BC3025FEE5359360F7D4E023AE00249falsetrue 11241100x80000000000000005503126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:32.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:32.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390696A42964EB0C45B17F3FF169210F,SHA256=867C3E6CBD3413F866B196EA522E5C399C1ECC21CC31254AC536AABD120B3502falsetrue 10341000x80000000000000001551565Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.966{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-12A0-6139-BFD0-00000000F101}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551564Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.966{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551563Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.966{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551562Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.966{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551561Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.966{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551560Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.966{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-12A0-6139-BFD0-00000000F101}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551559Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.966{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-12A0-6139-BFD0-00000000F101}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551558Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.951{AEE49BD1-12A0-6139-BFD0-00000000F101}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551557Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.612{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D989BF4DACA5B8F5FBACD93330465DB,SHA256=DFCFDA6D52B265671640A867EFD3027CEA3A13DF02E0C7B12F7A8AAC826F2002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551556Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.612{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5980395A13D2A1F5BE35EEBB4AF185E,SHA256=753F63890E3FAE699792D9616E1D598999352C2A2075C1A3D7670A4F2187075D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551555Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.396{AEE49BD1-12A0-6139-BED0-00000000F101}10401008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551554Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.280{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-12A0-6139-BED0-00000000F101}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551553Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.280{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551552Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.280{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551551Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.280{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551550Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.280{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551549Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.280{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-12A0-6139-BED0-00000000F101}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551548Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.280{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-12A0-6139-BED0-00000000F101}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551547Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.265{AEE49BD1-12A0-6139-BED0-00000000F101}1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551546Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.164{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DCD37E31372AFEA9114FC5AA5579D5,SHA256=5B3D7E75C46AF6AA24CD5874045336FB6A85C710C7455F7B14DD21170EC65D5F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:31.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:31.997{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179A7718DED56C309B44F031DCE99645,SHA256=C8245BF3CC35856EB292FC7E4404DF0CAFBC0A5BCBEA3CB08A2621E369B45BA8falsetrue 11241100x80000000000000005503133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:33.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:33.950{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EBC86997958D5DA6851D6021E1BDEB2C,SHA256=EBB2D7B87C981D2C5FAEF67DD1D36A070D6256C3D8CB55C628D9BFF89645F8F1falsetrue 354300x80000000000000005503131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:19.556{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49861-false10.0.1.12-8000- 11241100x80000000000000005503130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:33.356{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:33.356{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDF3A14386EF326E8B1C377603C5E92,SHA256=8CE3C6FE0618625ED95DEFD733D96204FD294C6D6466230FE93AC8124C070BDEfalsetrue 23542300x80000000000000001551567Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:33.166{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A63ABC0226E5B35A4E09B12E96C182,SHA256=3C4729E43E613F5F683BD65A43D030BCE1303049D71EEA114D865996DA7FDD32,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:33.091{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:33.091{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4E5E9116F353E50997A1C2508428917,SHA256=6126AF5C7A28BB34CC85763AD21E1BEB66D13FC320C1D7CF7D3F7A80505D1B64falsetrue 10341000x80000000000000001551566Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:33.082{AEE49BD1-12A0-6139-BFD0-00000000F101}15242748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551570Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:34.169{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C471CB3572AA7D1E888EF9FBE8E78C2,SHA256=6AF825B2BA44B9AC52666F9A030026B3C0B2D529547B554DEBE73B2DDF903BD9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:34.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:34.763{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=17577569AD2FAFC81BD3ADEC8A241B86,SHA256=183F34F41E53942B61A4CED90F6ED591C67303362AFF08571D5A2EC349FDCFC0falsetrue 11241100x80000000000000005503135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:34.372{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:34.372{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92B3DCBEEFDEADA76FE0EB70AC8A591,SHA256=5352546B792B1B5378BD33D48E3FFB9D863F9664C5D47E4DF7FD62CC190C2E42falsetrue 354300x80000000000000001551569Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:26.729{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61764-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551568Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:34.034{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D989BF4DACA5B8F5FBACD93330465DB,SHA256=DFCFDA6D52B265671640A867EFD3027CEA3A13DF02E0C7B12F7A8AAC826F2002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551571Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:35.172{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF9D1A70655CCCE2154C5988338C40A,SHA256=088658DE9E6A0F9B548BC42E5DA03A2B6568AC5165A089ACD4028F2CD9E71738,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:35.388{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:35.388{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C8D87F97AC9B6DE8D87F0B9C13D585,SHA256=7C247C9860B6D85AFB6AB84BB83E0FF4D650595638F06B8E69F56113BB2440BFfalsetrue 11241100x80000000000000005503143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:36.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:36.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60A788B077E190020F36B1BB2BB32F9C,SHA256=8B5B24FCAB23148B5932C0272AE4CB3E60B173B29B3117BE644F4DE1F67D8A27falsetrue 11241100x80000000000000005503141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:36.403{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:36.403{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8144783E83645F527E56F2B4693DEED3,SHA256=2EA8F479E65ACAEF72E90CFF4A7FD4B5E9109514839DEF318AE458164EFE8878falsetrue 23542300x80000000000000001551572Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:36.174{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749D9F73FCC63DF5B423DE3A8D910C8C,SHA256=F254ECFD953DDEAD54DB6848F5BB6D32D4FF8683110B674235F823127C3D5149,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:37.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:37.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA5C90F70617300BD208560E22F7B96,SHA256=6F4A78A057ADDE887F24F730A46355B48384DBCA2675B89CFB3CE0C127A5B712falsetrue 23542300x80000000000000001551573Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:37.176{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F975C1AC7B670CB61A91ABA9012904A1,SHA256=24397CE09EAD6C7D787F1042879244B72B6D663B01697819739FEF8EF0915458,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:24.666{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49862-false10.0.1.12-8000- 11241100x80000000000000005503149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:38.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:38.435{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED5E75486F692014928A8F06CEE9FF3,SHA256=EA4E90BFD1DCDDD8DB825F0AFBC6BDB139E9B25FBEA7BDBA6887666C5DAB45B7falsetrue 23542300x80000000000000001551574Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:38.179{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68761F400978DBF0DCD4E66A7A0E4B67,SHA256=14F8C68DF9F06EA993CD39508DB6165F1082A73D095B21353AF14B08217F7E92,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:38.185{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:38.185{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84C68335588DEC7FC10CB1D7E4417287,SHA256=E9DD28B8E45658A343B674D179213C751795A3D3F6C822B97748EF21804090EDfalsetrue 11241100x80000000000000005503156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:39.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:39.825{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=361342593AF7E36E2C6E5FD078F0E646,SHA256=4DACBEA7B03E7B72531530EEBCE2E2EEB9E8223CB8EEC03748A8D1F8B6C63437falsetrue 11241100x80000000000000005503154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:39.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:39.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3276C97BF9513F5B6BC9FEA45711F3E,SHA256=2AD6A728678FB178C4921291618937BA4404194CF718B0D27FA5A061F1DDB079falsetrue 23542300x80000000000000001551577Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:39.212{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F92041382738BA613487404F4C7BA1C,SHA256=9A7ABCCF3C20793B3453E50182B27B7FF19F1D30A84C5C1E9E2B6E826794C28A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:39.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:39.106{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F759B4D36AFB4E15B34C4060C013077D,SHA256=230A13085C42343DE7A153C0A825A352CE4AB47158DB5CEE9BCB7005E0445C71falsetrue 23542300x80000000000000001551576Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:39.081{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A3087FEDC1F086597182E02636AB637,SHA256=EBED1CBC9CA9DE39855C62D872BC1410BDDAA79BE5E9947E563803BC48B6266C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551575Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:39.081{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31F602E322510732907D9A0CC3AA6B3F,SHA256=0231DD95964B153A0C1995E83A92639C31B9EA1D31E82C08EF4ECF846D0C03C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:40.481{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:40.481{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB634BDC7B92234D81E47D79D9D4D79D,SHA256=05E37F18F8489067BEDA2247F9B8128C364244E76B695DE3215C9E43D62C6133falsetrue 23542300x80000000000000001551579Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:40.215{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96AB7E20FE674AFC538F9744C3B433F,SHA256=650E0A4C08A89FFB9602D51EE42F2433E52E48EC4A9FA40D030549B5C6B271F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551578Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:32.643{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61765-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005503160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:41.528{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:41.528{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F29E3B26A32DFB24FCCC93785D82D04,SHA256=C293AD250625456C8F695AA0B7C7FF9406D5CFD65EB68768B35DFDC9F90AB21Afalsetrue 10341000x80000000000000001551588Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:41.455{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-12A9-6139-C0D0-00000000F101}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551587Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:41.455{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551586Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:41.455{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551585Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:41.455{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551584Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:41.455{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551583Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:41.455{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-12A9-6139-C0D0-00000000F101}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551582Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:41.455{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-12A9-6139-C0D0-00000000F101}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551581Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:41.450{AEE49BD1-12A9-6139-C0D0-00000000F101}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551580Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:41.234{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4411FEA943D0C3FD67599188956E25,SHA256=1EF4629970C8A27DCE188BB741D44FE6D3041A5F3D9E6E4001030C07678422FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:42.575{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:42.575{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D237EA6AC9EF81848BFCE11EBE3BB37E,SHA256=BDE013FC4E5CB4B364755CC7977F583D0B637E9DF6B5ED011A0766CA42286F7Bfalsetrue 23542300x80000000000000001551590Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:42.455{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A3087FEDC1F086597182E02636AB637,SHA256=EBED1CBC9CA9DE39855C62D872BC1410BDDAA79BE5E9947E563803BC48B6266C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551589Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:42.254{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013AB9E3616831AF621441EB5C8B7E36,SHA256=6B908FD6AB1C55A0CE8CF5DF2AF62B191CD33A130B88BAE475F67C6A8E252523,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:43.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:43.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AA2371101AF11F1B63656AD47F1933,SHA256=8A0000E5E1B994341028A33668764AED64C34FB55E125E64BC5F0D9B1D339FCAfalsetrue 23542300x80000000000000001551591Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:43.275{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16ED414EF90E0937EF956C2EF112392,SHA256=A3E5539126EACA520543C68260426199F225FFC7934FCF10419EDF75F2772E26,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:43.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:43.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=680D21BA34D828ECD279EE8CC3494BED,SHA256=A17AF3C7188E58617DD1F11D9AA142672E949AD1C6EF29F323A003B9BF5EBC91falsetrue 11241100x80000000000000005503164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:43.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:43.279{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A35F7B2B72905E624C6725548D455B19,SHA256=1EEEB329C4BCCC264E379E23C31BB6CCB85F58560D8E6084CC0BDDC61DE6EA47falsetrue 11241100x80000000000000005503175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:44.858{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:44.858{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=89A1D43D0E820D496BAF329B8CAEB5C5,SHA256=E1E82A5A7E65B01B86EBC12868627583953A72E2018847C436F673EFB2F08E9Efalsetrue 11241100x80000000000000005503173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:44.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:44.733{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A57315A0E72B64E295AB5569F002F3F,SHA256=88203AEAA698DAC5D9241FCDAEC119EB86F8A2FD83534F68A58AF6C382401C91falsetrue 23542300x80000000000000001551592Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:44.277{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BB7FC2E44DB9F29603D586460E5504,SHA256=37917A190BE0E99484F09CC45CF2DF5EAD3BC5FB77810B7100CA6264B001D903,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:44.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:44.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FB7377980E399F88DAFE6DC85959BC1D,SHA256=C2B1E316E60B52F4C4C4B5F4F9D60DC79D46C94BA9FFE16E93E16D1B7B3D409Cfalsetrue 354300x80000000000000005503169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:29.744{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49863-false10.0.1.12-8000- 11241100x80000000000000005503177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:45.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:45.748{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78ED3B5EECC9C707A1BC2BA5362BBDA,SHA256=39A509EC2F51D6E412076B2C390C3FF7FAFCF1BC91AA4953F63076DFFE68DCE2falsetrue 23542300x80000000000000001551595Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:45.481{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7260MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551594Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:45.279{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526EB2AB2C7251F7CC13459A7CB93651,SHA256=8DAE21F2C9B93CAA8966DC281BC79AF6B2A2A78005847C6CC4D2D5DB3168B939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551593Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:45.061{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2EBBD521E6339871E0EAF2810028B9B,SHA256=4488B0871F382DC8399D562AB5D242129E7CAC5E37C01864A85C95F49B6F5A12,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:46.779{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:46.779{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712D6FB8B4086B245FF69A0D196115B2,SHA256=3DA6B5DE78E0D9675D1BBC08A3A985E423E14C47DB06C5303B54243E51F322EFfalsetrue 23542300x80000000000000001551598Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:46.482{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7261MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551597Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:46.297{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B1701D4A3B482D040E3AC31E173177,SHA256=446D7C69E1A4F678F64F71C42D635A89F48D542C03F17E7DB31C3F30D338BBA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551596Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:38.654{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61766-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005503183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:47.811{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:47.811{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D813624B9C665A7A3DA390A481943D,SHA256=6FC0E1CE99BB14EA9AD958E33304D8F2699723AEBAC08598433958321A0280A5falsetrue 23542300x80000000000000001551599Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:47.314{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1175149B9A48EAFA4824B778F06D44CF,SHA256=024CC764232A0FE572CE1F41E6F46BB7E418C6817025758FC5C46F7E63E02D1D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:46.998{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:46.998{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=680D21BA34D828ECD279EE8CC3494BED,SHA256=A17AF3C7188E58617DD1F11D9AA142672E949AD1C6EF29F323A003B9BF5EBC91falsetrue 11241100x80000000000000005503185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:48.826{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:48.826{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAF6E71D88BC3A1A295DD886B155AF7,SHA256=FBE5E17B646AB891D10F2482E841F4226BD5C61BD0CD6EA0646F2F9A67988CF2falsetrue 23542300x80000000000000001551600Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:48.367{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04E7207464B2AE4BC4D7FFDE48B0DC7,SHA256=3C6104EDD0730A86D873F0ED445E194A5A4943AB31AFA9E44366E82BC3DF3AB0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:49.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:49.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FE843EFA3EAB20E8D652E4A357B8C5B6,SHA256=0FC9B291B29A2E5FC5AC8021258DA94EDCB659B01B0984C2C81FD3A6607EEA97falsetrue 11241100x80000000000000005503207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:49.858{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:49.858{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B78F1011E0115C0C3B2305229E0669,SHA256=39644610DADC86DE15FB6A2720F5971946BEFE8F3C9E3627DAE9DBC51F62C764falsetrue 23542300x80000000000000001551601Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:49.404{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9763527E660B4CA34EAB8E0BDA4BEB8B,SHA256=D9547C211BB9494CE09864376F2AAF17B528020936FECDC46D8E048307DD3ADD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005503205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000005503204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000005503203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005503202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005503201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000005503200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000005503199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000005503198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000005503197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000005503196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000005503195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000005503194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000005503193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000005503192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:49.529{4DF467A6-D3A4-6138-36CD-00000000F001}6780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000005503191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:49.451{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005503190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:49.451{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005503189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:49.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:49.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2401107AAF0A46267E6ABB0CCBECD770,SHA256=2D508356024F442323BA158C651D8F0CF6C7A34B197D2671570B09E44A396FF8falsetrue 11241100x80000000000000005503187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:49.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:49.295{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B519F9147B431B52D8A92E401A00433B,SHA256=276CF2155F81DC422C973466E784A292BE91D4FD317D2F1370B55D852DB87F7Ffalsetrue 11241100x80000000000000005503214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:50.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:50.904{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD3C923BBB39D206CE989D0B5E63C63,SHA256=EFDB89F7420A61BF05192659BD34C26B8A47053F0CC4D9E68A14B8AC31A42918falsetrue 23542300x80000000000000001551604Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:50.437{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703D97732C8FC5D37331676B08C1FD9B,SHA256=01EAACF6FE02272A1366CC2F82D7599003D05C41B41C0AC9B9609B3137FF21AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:50.514{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:50.514{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8163F1779A27B4393E49ACED9A61259,SHA256=00920D785F782ED0D68FD5DCB714283BFC5F0ACE4E1819D8567BFCCE023D3E73falsetrue 354300x80000000000000005503210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:35.651{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49864-false10.0.1.12-8000- 23542300x80000000000000001551603Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:50.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5623A1A656C4ED90BB52D292C72AABC,SHA256=893B6D1892EDBBFB701786EBCD06185763C8D26647F28CBCFBF4FAFBAFBA1AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551602Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:50.190{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07D515EE2EE7B721D9E2A5277F5858A9,SHA256=622F75E9A6157A912C79AFA93C5AE7D5BC66C48B8C4EF4A3527C7E101CE90C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551606Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:51.439{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F88D70CF050FFD01525ADAF5A764FCE,SHA256=B9742FD7556BE54209E7773C9FE08860505F3890903DD73BCBDB6EA17F6D8068,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:36.948{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49865-false10.0.1.12-8089- 354300x80000000000000001551605Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:43.788{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61767-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551607Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:52.442{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884FE581BCD8CFC81191FC104514DD97,SHA256=952D665081F1B63FF4144B5C579495790CCDFC6CFFA09FB38083209B8F6C53EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:52.170{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:52.170{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ED1EF62772CBE25660276C6503D502C,SHA256=4B98CB32E138F36593A55737F2014DB2827797AE1BEA44D94BAEB87AF668975Ffalsetrue 11241100x80000000000000005503217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:52.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:52.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EED5135D6728EF59EAE7205944E8C9D,SHA256=DC2BC71D87E3C96917A8D049812BBD94F9630C6ADC2173B8394F80A9B611E144falsetrue 23542300x80000000000000001551608Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:53.459{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8348BFF16F0E77C166EDF44AE0CA7B0,SHA256=15262A19F92DD189B24ADA625D4C67CE9CF9C99350C0350047DBC90994753645,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:53.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:53.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33DAEAF92C45352F8196D3FAB1DF472,SHA256=F0476B880EE4B2A0FF5B6A860FCA61C72E6B8BE7CC46F49167E853FA15C562BBfalsetrue 23542300x80000000000000001551609Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:54.484{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810BD4BF1C8EECD68774752092EF4CA2,SHA256=A5AEEF1D98D8D8F09176EA4CF2385657D4FC535FAAD91C9502015809868D6665,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:54.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:54.951{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6937B9334C97FF58CEB105AE32BBF10C,SHA256=90FC6288378560A6AD924D7E955B5BC633E2415A01ADB7AEA5386055659AA212falsetrue 11241100x80000000000000005503227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:54.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:54.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1A11E5583E0A0EAB0A8CCAB211C69DFF,SHA256=6151C13A64D65B1DC33D310B0D26398D7DB7336F7023F4E140A846C5E007EEE5falsetrue 11241100x80000000000000005503225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:54.342{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 11241100x80000000000000005503224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:54.342{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:54.342{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEA855D0B153BAAFBBD0D05830F3C43,SHA256=DDB32D8043AC9C2F44B6CE7BDA45F364906B99617287DF29AA12CD1974A42283falsetrue 23542300x80000000000000005503222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:54.342{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F18FA9497B1C8429BF0828A6F725ADBE,SHA256=8CAA4E74B44CB9D280D96801921741F5EEBB9091A6FC8FD04BFAC7890362F1ABfalsetrue 23542300x80000000000000001551610Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:55.517{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F694BA1A1579CC57ED8A9E5CEE725B,SHA256=CBE3FCE57B101E5A5CBE37AF0439A1B43A1102C75BA2E7494AD69301B189CC87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:40.729{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49866-false10.0.1.12-8000- 11241100x80000000000000005503231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:55.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:55.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E88D9CA418E3D921B1F0C3437302F5,SHA256=4782DE5484E01FE2E2038E903448808DA19FF00453542B7032DCB0C5852A2953falsetrue 23542300x80000000000000001551613Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:56.586{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2213442FD03B88A799B7C5D45595D2D,SHA256=B217562A72EF9A6D275E7FFA1DEB2DB087F460304EA0A7A0AEBEDD0D255403D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:56.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:56.389{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BECAD0E2EEBDCD5DCEC05FB2944EC46,SHA256=EA4A4B43AFB02D4B03D8C532DC6B586BDBE904BD4C262331C99E9E7953779825falsetrue 23542300x80000000000000001551612Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:56.203{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4582EC849134959A91DB4E667FBF9BFB,SHA256=472572618FB5EC42FED0E7006BE38BD6489683ED59F81BC2F5C13B37B1340A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551611Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:56.203{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5623A1A656C4ED90BB52D292C72AABC,SHA256=893B6D1892EDBBFB701786EBCD06185763C8D26647F28CBCFBF4FAFBAFBA1AC3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:57.420{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:57.420{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93084822965DAC68FB64E68B47C305C,SHA256=FCC8A83D6C379F1A51CF23A61B265FAA708970B6B776939A6D1647CC385F0C1Dfalsetrue 354300x80000000000000001551615Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:49.801{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61768-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551614Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:57.606{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574C9E9B12BC70B06907DE2B4C44238B,SHA256=F5D872CE990A61EC7CB5A23F4F083B7B4E4F524119C1EE540306AA37BB20975D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551616Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:58.641{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347E763E53516F53547E716D13B4EC0C,SHA256=68D9A214F802BDB16721B5D359EFA80D283379D51F20208084C12057B0F05943,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:58.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:58.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5009557233749FD6BA21A0B9AB874679,SHA256=3D8A67C70843F366CA84FCD2A796707B9D99940E7D782739C958A6BDA238EEB9falsetrue 11241100x80000000000000005503272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:59.826{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:59.826{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70580BAB3FB90C167FCFA234E681D151,SHA256=0942B9F95FD863BB4905926B46D3E29DD1E5C3BD0BA2C3724DB51DD16383D143falsetrue 23542300x80000000000000001551617Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:59.692{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8ED4B57488D44AD57001B93241150C4,SHA256=99567AF0224A13FCAFE495026AE933FA4886371F6F9A36ADA5AB763ADD0B090B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:59.186{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:59.186{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=563BD153FC2F9CC6BE5393CD3D13452E,SHA256=6045005B67A226FCAA0580FA8E1413E4729E5F78F8BCC8EDB74C68299CE54E51falsetrue 13241300x80000000000000005503268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000005503267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities2086 15,1074 15,2413 15,827 15,134 15,2402 15,129 15,1001 15,2159 10,103 15,2324 15,185 15,1000 15,121 15,2401 15,1445 15,1338 50,951 15,1338 10,999 15,226 15,1282 50,831 15,1282 10,1338 15,2430 15,1282 15,132 15,1128 15,2328 15,2087 15,850 15,998 15,1039 15,828 15,2323 15,108 15,829 15,2088 15,335 15,830 15,1255 15,974 15,1249 15,670 15,671 15,1002 15,111 15,332 15,669 15,291 15,1249 10,70 50,2327 15,120 15,184 15,2325 15,2326 15,2329 15,116 15,2403 15,2404 15,2405 15,1209 15,2406 15,334 15,2407 15,1221 15,2408 15,2409 15,2410 15,1443 15,2415 15,937 15,1204 15,2411 15,2412 15,2416 15,2424 15,159 15,109 15,2414 15,2417 15,2418 15,133 15,318 15,160 15,2419 15,114 15,107 15,2420 15,2421 15,131 15,2422 15,2423 15,104 15,102 15,2425 15,2426 15,2427 15,112 15,117 15,106 15,1444 15,115 15,118 15,101 15,2322 15,113 15,105 15,123 15,2428 15,2429 15,2431 15,2432 15,125 15,333 15,331 15,2225 15,336 15,128 15,124 15,100 15,2433 15,1007 15,110 15,2434 15,1446 15,2435 15,2436 15,122 15,1373 15,2437 15,127 15,119 15,1008 15,2438 15,969 15,2439 15,126 15,130 15,1584 50,2159 6 13241300x80000000000000005503266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,22561229,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000005503265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds019677900,24131419,34968335,8758344,17134338,20039442,18409363,21378256,40920709,19200086,19972417,51655840,17634580,18658649,18375312,23979203,18658648,17698823,17183040,19677907,34968340,18948503,18658650,17650967,21378211,18637650,18674530,9319450,17126295,18948102,21313610,18409416,18948101,36517339,17634578,18400089,36761792,21030802,21378249,20979747,34968342,34968338,50890251,34968337,34968339,24470607,8448079,6366290,38013077,34968341,7690258,34968589,36274763,17182941,24406167,20027008,17182979,20027009,9176926,23205313,7690254,5850584,8263521,17622912,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077,19200081,25036313 12241200x80000000000000005503264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000005503263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000005503262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000005503261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000005503260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000005503259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000005503258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000005503257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000005503256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000005503255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000005503254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000005503253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\2DWORD (0x00000000) 12241200x80000000000000005503252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000005503251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000005503250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000005503249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000005503248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000005503247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000005503246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000005503245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000005503244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000005503243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000005503242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000005503241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000005503240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000005503239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-DeleteKey2021-09-08 19:44:59.186{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 11241100x80000000000000005503281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:00.889{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:00.889{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC2F3EE279DB62B5DC3EFA8F17D2451,SHA256=2E894AFFE2D202F07DFDB0C4D2DD5C4BA1BE4442CF53B6E0F3FDD976386275A9falsetrue 23542300x80000000000000001551618Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:00.694{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2815117A7C6189B6387062B89516666,SHA256=A5E43B15FF6F014C68DB3D90DA2D77F0260224FB106349FBDCC853C0E552B657,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:46.619{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49867-false10.0.1.12-8000- 11241100x80000000000000005503278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:00.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:00.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=702DD37E6AD6BF4A08C7B59293BEBADC,SHA256=544DE8B70552ACB7F12890183BB2431D828AD35550EE75CA4F760A46EF5B25C3falsetrue 11241100x80000000000000005503276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:00.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:00.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD7E4B6C95123DB422387EA51D22E674,SHA256=D41F42EF5B9FA582038F7EB7206B1FD4535928B7C5C3BF8CBC1EA0B42B49411Efalsetrue 11241100x80000000000000005503274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:00.045{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:00.045{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A7A4B1B6369A847F754953B9A6AB951D,SHA256=F77E9AD6897A873DEC2BDBA01FAA2B30113047E656A336E4FDAD6D49070FCD8Ffalsetrue 23542300x80000000000000001551619Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:01.696{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBCEDE353EACD82BAD4A61F4151803D,SHA256=CE39D295B95EE078E5434A8AAF630948F84A6C95811ABF8EC80DCAFF30AC29E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551622Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:02.700{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00723634798B57E9D4DAB0BB9A7D0EEE,SHA256=37F2BFEEBB4215338B9227B010F94B5DD117C81852FB239455BD058D69AFE0C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:02.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:02.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654B73D55632AA39B1DE738DE160CEA7,SHA256=5BFFD696557B2194B965C9F3BD001821E133A99374CD2E3B4643ADC3440CEC63falsetrue 23542300x80000000000000001551621Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:02.218{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13C4E47D185C5C99CB156B5078F1EB65,SHA256=A99B1DCC7C7D575A51614C6191C1D47BDFE2586E2F776A736A54BA71466A636B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551620Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:02.218{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4582EC849134959A91DB4E667FBF9BFB,SHA256=472572618FB5EC42FED0E7006BE38BD6489683ED59F81BC2F5C13B37B1340A09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551624Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:44:55.816{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61769-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551623Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:03.701{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF105407FB83A5F931D425CEF7460270,SHA256=2FD9633F648D5416F9F118B50C8BF4FD5855A5D853A44BA8CC2487A03BE5CC93,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:03.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:03.092{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3442DA4B8492D02ABFDDE425D542D77E,SHA256=9907B37DB3CCA0663DE985EDDF12A3A63B71DDB4AAECA71D585D92D237D8891Afalsetrue 23542300x80000000000000001551625Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:04.705{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152F99E47545AD4CB5ACDF25B24DE4E3,SHA256=610870EBE6A8BBF3DAD9C6D260756ABB532C5DEEB06A2998E6B4F2A3B595BBB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:04.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:04.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D7899650A67CD563B28CA87DFF0AAAF3,SHA256=5104690708FD57CD78B272EAF2726B3FF591B7F78151AA67157813A773F3F18Cfalsetrue 11241100x80000000000000005503287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:04.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:04.123{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D36ADC21C1EFDECC9F6B24AFD78B62B,SHA256=E2FFA1804322A572BF38BEDD3B79BC146564E346ED43EA5ED5A70B0A2722DADBfalsetrue 23542300x80000000000000001551626Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:05.744{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A798F4D2E3DA5BAC18E28E277DDB514,SHA256=199BE809F9D3B16BF5B850DB3245B03561F3EAB907C4EC8C93FAA3533B7A0FF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:51.635{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49868-false10.0.1.12-8000- 11241100x80000000000000005503297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:05.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:05.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3C63DCF104E0BB5909CB7C08E192DE2,SHA256=B36EB31CA79DAA576D577DA7EB913EFDB9278A8FC62DDF717ECD7DB00D1BF184falsetrue 11241100x80000000000000005503295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:05.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:05.154{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=702DD37E6AD6BF4A08C7B59293BEBADC,SHA256=544DE8B70552ACB7F12890183BB2431D828AD35550EE75CA4F760A46EF5B25C3falsetrue 11241100x80000000000000005503293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:05.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:05.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721CC27A4B408C36389D68531FBF797D,SHA256=8978FFA533B63D8FF772E8C32B0EFAB36122CB3F02DA6B576AC4CF4EB905CB4Afalsetrue 11241100x80000000000000005503291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:05.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:05.076{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6E129E73474480F8C6E9F085D20442C,SHA256=0C11045EF9E262BA5CE3CB2FE9ABC4FBF9DC7CD931AD13BF62E697681CE306EDfalsetrue 23542300x80000000000000001551628Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:06.745{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00712DDF55C23037849B92B9849818E9,SHA256=BC9C34BE7F048A98EAFDA4B6B10BE280BB1A5D92899544A37266E8205679E703,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:06.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:06.201{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681A6438B934F07E08AF7DE8A22ED268,SHA256=07E210B3A7ED7D7ED974444B8621E13608010C3D34EDE56EAD1FEBF5B42C0FBCfalsetrue 23542300x80000000000000001551627Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:06.630{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8383AC12558D239FB2FDF4ED50AF300D,SHA256=AD3610CD5FA1FB63CA924248F31DBDB5D5374A738FB4893CE7D2E695BA7B0258,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000005503301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:06.154{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:06.154{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:06.154{4DF467A6-3F47-6132-0C00-00000000F001}8361020C:\Windows\system32\svchost.exe{4DF467A6-3F48-6132-1500-00000000F001}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551629Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:07.763{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C96FF0780B36DA4DFB7C1CCA01BD0E,SHA256=2D2BD87EA9EB892ED60536C8C7DC1A9FE6DA1E91E1413D1776012FC598ADB56C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:07.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:07.248{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D26E8BA50A302D3E6793D689471852,SHA256=8C1FBC41D8AE4C374DA961D23AC712F6B46FAF271EE86DB8DC40EE70A6FB11FCfalsetrue 11241100x80000000000000005503305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:07.029{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:07.029{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3C63DCF104E0BB5909CB7C08E192DE2,SHA256=B36EB31CA79DAA576D577DA7EB913EFDB9278A8FC62DDF717ECD7DB00D1BF184falsetrue 354300x80000000000000001551633Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:01.661{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61770-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551632Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:08.765{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB8F0AED5641059CD79ED8948095736,SHA256=8709A7690A02D27B1757A5C91173347435EFDB01D88A9ABE0FC7EC92627B0C2D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:08.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:08.357{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC769D092CE268FB0A49E0555D7151FF,SHA256=3FA853EBC99E351B1E558161418EE94EB6A4895C99AD05C58C957105B89A708Ffalsetrue 23542300x80000000000000001551631Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:08.063{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3B34ABB97ADC01DB189E7CA1042795D,SHA256=2B0EC82DBF68D06DF8D880FDD8FE0F2C5F759E7558647D2B23D7D5C91A9675A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551630Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:08.063{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13C4E47D185C5C99CB156B5078F1EB65,SHA256=A99B1DCC7C7D575A51614C6191C1D47BDFE2586E2F776A736A54BA71466A636B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551634Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:09.767{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F384B6A5ACF3481BFEE04D6B2E19F03F,SHA256=D219002BF54ABE3EAE4699A55B269760FC40A910512E1E9074472FEF8C48B8D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:09.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:09.592{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=79AE078ED1087CA35A65CAEDB0C4C20C,SHA256=2D3B9CB47EF3ABC9DABB9C54D04DF1BC432C8A7C9EA5651D5911817C42D0FDF9falsetrue 11241100x80000000000000005503311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:09.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:09.576{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875D375DA2F44D0FFF53D13E4727EE27,SHA256=C10212209A00BECAD2F9D0B065C27B742C03E87955561CEE68A19409F5C0D5F5falsetrue 23542300x80000000000000001551635Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:10.769{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A9B095E9A1DFEA2A357F1CCC760B8E,SHA256=A318F3D2757B2029C79E378B9DABEE2A7DD15460824B95962ADAE0C5340813F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:56.650{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49869-false10.0.1.12-8000- 11241100x80000000000000005503319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:10.623{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:10.623{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF008E9D3DDE382CE15E0AF4B8281A5E,SHA256=068C45605A0019BA1633D90A0B47DE8F177F64900186F1E43FC024730E4A5C4Cfalsetrue 11241100x80000000000000005503317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:10.170{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:10.170{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F540FCBE28C4BBE140884B888CC02B6E,SHA256=603819D7106A2E2DD7E764C85B75B203D37605B7359181B9EFD9357301D92EB2falsetrue 11241100x80000000000000005503315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:10.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:10.139{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CF8AA7B2447535B87045CE1291BD994A,SHA256=DCBED6CECF7FF48B15FF8F5E94F265986B4080F2C596A5BDC7F972D2DD6ACDA8falsetrue 11241100x80000000000000005503324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:11.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:11.659{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8981483C58E8808FC6824E320370B94E,SHA256=3756B0A485ADA02AD2E40C36F2CB7B0FBF7D99DA3FDFFD9F5BE1F264E17080ACfalsetrue 23542300x80000000000000001551636Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:11.771{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A82E3ABFB7535F7E00A49E07138EEC5,SHA256=AE020193ECEB835FBF56D681DCD5BBDBCD126ADD7F52C01E5366A10C0C16BA31,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005503322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:45:11.300{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005503321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:45:11.300{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x80000000000000001551637Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:12.773{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8169704B96C2FC3365474B1056786B,SHA256=BAEBE36F49FA60A0672C864FB63034CC4AAFDABFA447791F9975132077FFC4C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:58.796{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49870-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005503329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:44:58.796{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49870-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005503328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:12.690{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:12.690{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F828A56C2054E95F920099DB27793891,SHA256=E39C8B3D8E375ACFBE3AD6A901F8AECD2B0EB8B7BD9A491124F660BF8C294B4Efalsetrue 11241100x80000000000000005503326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:12.018{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:12.018{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F75039E8EAB10467EC4E4C65FFD65AE,SHA256=4A752B475FD39E01A8E6ED6126F8AC91CC497D6B6AA8827E6EF5745F4D6C1CDDfalsetrue 354300x80000000000000001551641Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:06.671{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61771-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551640Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:13.776{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC7C0866689E79EF43EA5C61209AC1F,SHA256=92D4181DB9A93141FEAAD1DB9E78C8365D38341EACAB896C502A09B32EBD97D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:13.722{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:13.722{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336B4CE09ECBD52F9147D0C250108FA8,SHA256=7CDA7B1E5FEAA9B9B69786E7B9744B818E5F76D1110497AA20BDB854E04610D8falsetrue 23542300x80000000000000001551639Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:13.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F606F81E3AAF8E56C3BAD732CF132D0,SHA256=056D8344A22E75989822ABC6F126373DE9C7D93F902ACB4507880A72D7229B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551638Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:13.106{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3B34ABB97ADC01DB189E7CA1042795D,SHA256=2B0EC82DBF68D06DF8D880FDD8FE0F2C5F759E7558647D2B23D7D5C91A9675A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551643Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:14.910{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551642Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:14.831{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3B661AA80B6904EAC470B23F971AC5,SHA256=542FF0A93C19D7CFE6B20847CFE11B42BE746D2D250D5DAC1EEF46D429DD41CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:14.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:14.737{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FE9C0F94E2C2944ED59C548B8FAD97,SHA256=67B400BF89F10FC30C5BFD62E6C37AC040E45E44A183EB30AC24A69E3E0B352Afalsetrue 11241100x80000000000000005503334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:14.440{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:14.440{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=836D09D3EF5933414EE7269BD51EDBAB,SHA256=DB95812462CCF1E67BFD6857A11E98944F530D8970CF7F96FE3F1C0EDF0454D2falsetrue 23542300x80000000000000001551645Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:15.897{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F606F81E3AAF8E56C3BAD732CF132D0,SHA256=056D8344A22E75989822ABC6F126373DE9C7D93F902ACB4507880A72D7229B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551644Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:15.881{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F2B35C7EA85C34D5BF4A884A57C5CF,SHA256=FEC04CC5B89B27B78E1BC09C6010648089F65380E717B91ED8F3BAEEDC557835,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:15.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:15.753{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A276BDBFAFD658BAFABAE460D290825A,SHA256=5A047FBDB61EE4911EF849523D1E39214D9C534BFD0F8B7509EBD5B91971EFF9falsetrue 11241100x80000000000000005503338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:15.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:15.222{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BE18E1325B218E7D06390F31454972A0,SHA256=D91AE59BC566DFA5FDFE080C3F4C8F3262886AB0CAE3E423E24CA4580E903013falsetrue 354300x80000000000000005503345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:02.608{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49871-false10.0.1.12-8000- 11241100x80000000000000005503344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:16.800{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:16.800{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CD3FE99A45599C61DBCBE7DB84C61A,SHA256=B6F1C9B2438DF6AD8C7CDC1DB0F71500C194E3C4AE440C5C83D84BB0261B2FC0falsetrue 354300x80000000000000001551655Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:09.494{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61772-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001551654Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:16.899{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B9C634C4454BBE638AD6E6C18FE819,SHA256=D1C412A725DFC9E1E9AF43CD3EB2171D43C9DE189EEFA200B478EBC136E05C4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551653Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:16.736{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-12CC-6139-C1D0-00000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551652Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:16.736{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551651Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:16.736{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551650Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:16.736{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551649Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:16.736{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551648Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:16.736{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-12CC-6139-C1D0-00000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551647Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:16.736{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-12CC-6139-C1D0-00000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551646Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:16.732{AEE49BD1-12CC-6139-C1D0-00000000F101}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005503342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:16.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:16.237{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23BB9530AFB76BBB0FC918FD8C41E4EB,SHA256=A5E502A70E37B9B2C2FD11626660C0195F7BDBAD539B0E371634B46A8A6E7EF7falsetrue 11241100x80000000000000005503347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:17.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:17.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53049952DCC272BD05895E0ED73FEC66,SHA256=C8916201AED26273DA73C083D8FB41F3208D4A7F5E5EDD7227B78B5FBFE95891falsetrue 23542300x80000000000000001551666Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:17.899{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59733103FD7850F60D85A43EBE3A09D9,SHA256=E86EB8EBDD7DB51C9D59B90AA6890F08219C521E0E55A01D1503D98F63DDAAE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551665Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:17.752{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E22678E245D7CD14EAB5BF3FAC0E31B,SHA256=55F07B2A604D186CB09E23288250AB2C2A04D6DC2B1047F84541539D7700011C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551664Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:17.536{AEE49BD1-12CD-6139-C2D0-00000000F101}29405968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551663Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:17.415{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-12CD-6139-C2D0-00000000F101}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551662Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:17.415{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551661Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:17.415{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551660Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:17.415{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551659Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:17.415{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551658Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:17.415{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-12CD-6139-C2D0-00000000F101}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551657Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:17.415{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-12CD-6139-C2D0-00000000F101}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551656Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:17.400{AEE49BD1-12CD-6139-C2D0-00000000F101}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001551676Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:11.714{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61773-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551675Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:18.935{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266559D6ADCC4D76DB0811E2BE389479,SHA256=B143EBE8A5AB9C37244AD62819CD3D3AF164E0BB3A0AD69E1A65BD85DC07D88F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:18.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:18.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE87894CDA1EFAF9EB3AEE046B91CF7,SHA256=26564E0B89E97DD21FA2EF171EF83FC765472B50019FBDEAC0FAB7875EB5C35Bfalsetrue 10341000x80000000000000001551674Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:18.115{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-12CE-6139-C3D0-00000000F101}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551673Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:18.115{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551672Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:18.115{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551671Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:18.115{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551670Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:18.115{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551669Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:18.115{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-12CE-6139-C3D0-00000000F101}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551668Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:18.115{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-12CE-6139-C3D0-00000000F101}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551667Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:18.100{AEE49BD1-12CE-6139-C3D0-00000000F101}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551678Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:19.955{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3326C92AEADEA66EEB5CA0070C217E02,SHA256=96F6CBA425753C9CFD8BCB3E6B8B7D2D99270292AF38546DAF472A2020DB742D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551677Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:19.100{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=359EEC86FEC4A36DEEE089EF06E946E0,SHA256=53071137C7FBC01F798D703C4C1154BE57228538B2EAF33701AAE3314766EBBA,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005503408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.487{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005503407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.487{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005503406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.487{4DF467A6-12CF-6139-D7D6-00000000F001}51447604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.472{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005503404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.472{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005503403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD4CF686031E1DA11BB061E3B742539F,SHA256=AB27A61F164348801BEC6C1169C34733ADDBA9A33DA2C725220055C2E6D73F6Dfalsetrue 734700x80000000000000005503401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005503400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005503399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005503398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005503397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005503396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005503395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005503394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005503393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005503392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005503391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005503390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005503389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005503388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005503387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005503386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005503385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005503384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005503383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005503382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005503381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005503380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005503379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005503378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005503377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005503376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005503375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005503374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005503373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005503372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005503371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005503370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005503369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005503368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005503367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005503366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005503365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005503364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.347{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005503363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.331{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.331{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005503361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.331{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005503360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.331{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005503359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.331{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005503358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.331{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005503357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.331{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005503356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:19.316{4DF467A6-12CF-6139-D7D6-00000000F001}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005503355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:19.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:19.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:19.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:19.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:19.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:19.315{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001551679Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:20.957{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E83942083D6F5512D96D25E11EFA01,SHA256=44C8E4D19023A586BFD013C9004061FEC91B3C578CA5C706F1C56656F0D26758,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005503526Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.956{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005503525Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.956{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005503524Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.956{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005503523Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.956{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005503522Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005503521Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005503520Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005503519Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005503518Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005503517Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005503516Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005503515Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005503514Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005503513Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005503512Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005503511Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005503510Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005503509Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005503508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005503507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005503506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.831{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005503505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005503504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005503503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005503502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005503501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005503500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005503499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005503498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005503497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005503496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005503495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005503494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005503493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005503492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005503491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005503490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005503489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005503488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005503487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005503486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005503485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005503484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005503482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005503481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005503480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005503479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005503478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.815{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005503477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.691{4DF467A6-12D0-6139-D9D6-00000000F001}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005503476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:20.690{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:20.690{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:20.690{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:20.690{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:20.690{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:20.690{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005503470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1BBD6971635A9AF9026C2418C3CF563,SHA256=A03446B28EA2F20CD44B6BB438D6288B8F26BDD87FBD2F1B78E18AFF5607789Dfalsetrue 11241100x80000000000000005503468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.268{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.268{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4DE3F0BF2FBBACE40DAA5386E27F285E,SHA256=70869481F22ADBD202169A8D82917F625EF8A6E17CEF380FF984A3A9D30DE385falsetrue 534500x80000000000000005503466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.143{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005503465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.143{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005503464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.143{4DF467A6-12D0-6139-D8D6-00000000F001}36281584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.143{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005503462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.143{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005503461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236FB3B0E17F405BE437CC472DB6095E,SHA256=93ED951A3521DF89FFAF1B5C0A4A1D72FDA495C75E1B0698FBF047D601943C75falsetrue 734700x80000000000000005503459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.034{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005503458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005503457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005503456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005503455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005503454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005503453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005503452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005503451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005503450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005503449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005503448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005503447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005503446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005503445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005503444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005503443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005503442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005503441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005503440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005503439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005503438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005503437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005503436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005503435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005503434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005503433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005503432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005503431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005503430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005503429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005503428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005503427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005503426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005503425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005503424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005503423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005503422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005503420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005503419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005503418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005503417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.018{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005503416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.003{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005503415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:20.003{4DF467A6-12D0-6139-D8D6-00000000F001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005503414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:20.003{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:20.003{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:20.003{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:20.003{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:20.003{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:20.003{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001551680Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:21.974{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E9588C2F22A895CD4D6925A027A445,SHA256=B7C95438DB57E24DCDCCE2A3A842C13A692CAC118D7318938BB8FF3E2BB685CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503589Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:07.623{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49872-false10.0.1.12-8000- 11241100x80000000000000005503588Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.722{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503587Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.722{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFE26D2DBDEBC91BF097D10169F319E4,SHA256=95D7B4EA76D46B80A1C9EB9C33DDAE5BB7800FC5974C187C043B17097C6C6E32falsetrue 534500x80000000000000005503586Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.628{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005503585Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.628{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005503584Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.628{4DF467A6-12D1-6139-DAD6-00000000F001}62247912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503583Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.628{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005503582Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.628{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005503581Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.518{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005503580Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005503579Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005503578Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005503577Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005503576Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005503575Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005503574Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005503573Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005503572Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005503571Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005503570Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005503569Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005503568Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005503567Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005503566Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005503565Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005503564Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005503563Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005503562Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005503561Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005503560Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005503559Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005503558Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005503557Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005503556Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005503555Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005503554Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005503553Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005503552Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005503551Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005503550Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005503549Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005503548Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005503547Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005503546Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005503545Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005503544Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503543Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005503542Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005503541Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005503540Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005503539Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.503{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005503538Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.487{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005503537Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.488{4DF467A6-12D1-6139-DAD6-00000000F001}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005503536Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:21.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503535Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:21.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503534Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:21.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503533Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:21.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503532Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:21.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503531Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:21.487{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005503530Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503529Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.050{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379D7EF7CB0F06D8D59F8267E2FCB7E1,SHA256=77B8A9388450C97CBAA22C66F359DD270DEFF053D665510271C82EFA73EC2DA9falsetrue 11241100x80000000000000005503528Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503527Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:21.034{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E8A1E610A88FAC6F8BB9D1E0E06FE3,SHA256=5FFF4E7B197C830B6B11CF6B293D0E17BB40660D295A81892738C66E8560ED4Efalsetrue 23542300x80000000000000001551684Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:22.976{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009C0C3C725CE680A71A56D09C323FF3,SHA256=2F32A403ACE7F962997BA4D278AA527BEA3B05242F4E8DAA94197FE96EA914B7,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005503709Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.847{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005503708Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.847{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005503707Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.847{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005503706Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.847{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005503705Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503704Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A085B02DF3EEC2C460180BB686DBD23B,SHA256=A8AB3D061B625EC5589C9A384A653F485D51C631FC331E50ED7550D57F4497B6falsetrue 734700x80000000000000005503703Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.737{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005503702Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.737{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005503701Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.737{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005503700Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:22.737{4DF467A6-12D2-6139-DCD6-00000000F001}5148\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005503699Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.737{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005503698Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:22.737{4DF467A6-12D2-6139-DCD6-00000000F001}5148\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005503697Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.737{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005503696Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.737{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005503695Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.737{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005503694Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005503693Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005503692Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005503691Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005503690Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005503689Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005503688Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005503687Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005503686Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005503685Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005503684Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005503683Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005503682Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005503681Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005503680Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005503679Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005503678Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005503677Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005503676Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005503675Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005503674Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005503673Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005503672Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005503671Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005503670Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005503669Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005503668Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 10341000x80000000000000001551683Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:22.677{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551682Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:22.677{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551681Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:22.677{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415A-6132-1500-00000000F101}1164C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503667Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005503666Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005503665Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005503664Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005503663Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005503662Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005503661Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503660Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005503659Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005503658Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005503657Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005503656Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005503655Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.722{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005503654Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.708{4DF467A6-12D2-6139-DCD6-00000000F001}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005503653Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:22.706{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503652Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:22.706{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503651Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:22.706{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503650Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:22.706{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503649Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:22.706{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503648Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:22.706{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005503647Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.315{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005503646Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.315{4DF467A6-12D2-6139-DBD6-00000000F001}44965084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503645Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.315{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005503644Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.315{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005503643Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.206{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005503642Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.206{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005503641Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.206{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005503640Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:22.206{4DF467A6-12D2-6139-DBD6-00000000F001}4496\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005503639Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.206{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005503638Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:22.206{4DF467A6-12D2-6139-DBD6-00000000F001}4496\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005503637Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.206{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005503636Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005503635Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005503634Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005503633Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005503632Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005503631Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005503630Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005503629Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005503628Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005503627Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005503626Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005503625Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005503624Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005503623Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005503622Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005503621Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005503620Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005503619Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005503618Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005503617Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005503616Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005503615Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005503614Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005503613Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005503612Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005503611Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005503610Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005503609Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005503608Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 11241100x80000000000000005503607Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 734700x80000000000000005503606Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005503605Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 23542300x80000000000000005503604Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B953C50E70569FCF8A6E6373FF9725F6,SHA256=5109F4B8478AD8E474A9B53D858CD7FC655F6386BC7200DE001F9667ADF8C254falsetrue 10341000x80000000000000005503603Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503602Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005503601Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005503600Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005503599Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005503598Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005503597Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.190{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005503596Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:22.175{4DF467A6-12D2-6139-DBD6-00000000F001}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005503595Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:22.175{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503594Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:22.175{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503593Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:22.175{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503592Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:22.175{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503591Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:22.175{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503590Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:22.175{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001551686Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:23.979{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3F071EAF3D78E160C0E847DCF91C8A,SHA256=429BCE562647AE143FE63845D92B7053682E3D2F7FAFF28501B8CDA714A21330,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005503769Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.534{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005503768Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.534{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005503767Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.534{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005503766Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.534{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005503765Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.440{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503764Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.440{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B911DB840BD0AE1F9C73B464C1531E,SHA256=679869CE704CF3A68247D8292C933F410ED2D4C5B009ED46183A2B6EBCF7B2F8falsetrue 734700x80000000000000005503763Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.425{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005503762Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.425{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005503761Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.425{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005503760Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005503759Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005503758Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005503757Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005503756Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005503755Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005503754Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005503753Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005503752Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005503751Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005503750Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005503749Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005503748Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005503747Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005503746Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005503745Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005503744Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005503743Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005503742Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005503741Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005503740Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005503739Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005503738Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005503737Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005503736Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005503735Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005503734Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005503733Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005503732Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005503731Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005503730Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005503729Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005503728Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005503727Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005503726Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005503725Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005503724Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005503723Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005503722Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005503721Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005503720Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005503719Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.409{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005503718Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.394{4DF467A6-12D3-6139-DDD6-00000000F001}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551685Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:23.177{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=079ECE3DA1B0A481E528124BBF4D960C,SHA256=43A948D99B4F173A59133AE768E4B6A3C1C3DCEDC93C9571DA14B8870E381F3E,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000005503717Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:23.393{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503716Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:23.393{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503715Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:23.393{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503714Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:23.393{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005503713Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:23.393{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005503712Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:45:23.393{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005503711Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503710Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.206{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0398074830140814005028147023B164,SHA256=B2FD8E91D86792D455E09F33502960E1E50BDB06FDC03680EF978E1EDD302805falsetrue 23542300x80000000000000001551688Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:24.997{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A26626AD33C3BB62E64CB22A9AF8090,SHA256=DD7A771FAB4EE8E7454226F16EDAC5F8116E799448903FCB53E2DA54FF1978D9,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000005503787Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:45:24.784{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005503786Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:45:24.784{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005503785Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:24.768{4DF467A6-3F58-6132-2D00-00000000F001}2968\lsassC:\Windows\system32\DFSRs.exe 13241300x80000000000000005503784Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:45:24.768{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 12241200x80000000000000005503783Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:45:24.768{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000 11241100x80000000000000005503782Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:24.768{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML.TMP2021-09-08 19:45:24.768 12241200x80000000000000005503781Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:45:24.768{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 13241300x80000000000000005503780Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:45:24.768{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Config SourceDWORD (0x00000001) 13241300x80000000000000005503779Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:45:24.768{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML 12241200x80000000000000005503778Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:45:24.768{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E 11241100x80000000000000005503777Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:24.768{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_686DBC1B-DEEE-4FD2-989B-6FC5D6BFC10E.XML.TMP2021-09-08 19:45:24.768 12241200x80000000000000005503776Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:45:24.768{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x80000000000000005503775Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:24.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503774Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:24.612{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B5976D54071FC0F50BE6BCCB87DB1C07,SHA256=953FAD1A2173243B978D282F2957C5E8E4E4DD78CB80AE98E19B959066E81D1Cfalsetrue 11241100x80000000000000005503773Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:24.581{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503772Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:24.581{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D3F6EEDAFA58249CE72C49C31D88E0,SHA256=08EAEE4A20A05F09A5014E54856D9894F0657EE1346BD2D44FE8383209B3F754falsetrue 354300x80000000000000001551687Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:16.739{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61774-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005503771Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:24.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503770Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:24.425{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A2CBEF9A7027E0FAF3BF64654105BF,SHA256=86F5679E5CA2EADAB09BBA4CA9C6DCCB0517D061C93ACE23A7E23B87B2B4311Afalsetrue 11241100x80000000000000005503795Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:25.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503794Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:25.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EC56BE86E7FF5CAF71C79B4F399EB9,SHA256=C19CD7FA8F21859EF16CDBAE83AA54E2593E17A77997C1DAC96C8BFAE77771B4falsetrue 11241100x80000000000000005503793Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:25.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503792Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:25.815{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E339A67EAE771D6B2A87184E6F3EF4B2,SHA256=B284ED39D597BEFA69F4B17C930160D52819A89DEF0E75F66AF5C6EA4D7CE7A3falsetrue 12241200x80000000000000005503791Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:45:25.800{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000005503790Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:45:25.628{4DF467A6-3F58-6132-2600-00000000F001}2848\lsassC:\Windows\system32\dns.exe 11241100x80000000000000005503789Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:25.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503788Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:25.331{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E2796B773ACA7F101AAD04956B39B62E,SHA256=0884A85164BD354828577D645DCA65ADEABEA1C66F842DCDDB0A798D77D08358falsetrue 11241100x80000000000000005503805Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:26.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503804Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:26.878{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824328AFF12B7817360C5D1C2A6AE0BB,SHA256=FBC0E6773947AB992C42771BB847C38D6D6A169658A5FCB4E5CDE461AF2C25E6falsetrue 23542300x80000000000000001551689Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:26.031{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C4D5AEFDF71C617A8A0DDCEE6D0655,SHA256=71BC15A555F0BB93174EE75F885C75EA300E95C0F9B816C78CB718B68CD2A6D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503803Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:26.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503802Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:26.847{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=217774AA61480128C3761FD647278CF6,SHA256=CD3574BB3980B8004AE6F0173EB18D34C079A8067536FD37D63685DF452713BCfalsetrue 354300x80000000000000005503801Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:12.282{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49875-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005503800Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:12.282{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49875-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005503799Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:12.277{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49874-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005503798Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:12.277{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49874-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local389ldap 354300x80000000000000005503797Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:12.265{4DF467A6-3F47-6132-0D00-00000000F001}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49873-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 354300x80000000000000005503796Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:12.265{4DF467A6-3F58-6132-2D00-00000000F001}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local49873-truefe80:0:0:0:f522:84ee:a273:e8a1win-dc-291.attackrange.local135epmap 11241100x80000000000000005503808Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:27.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503807Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:27.893{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491A9CAF8CFE615634954EE7F5242284,SHA256=139C989DA03D558CD2BE6BBCE6F818D78B9A4A872D1C7D75C50F398EAA79A670falsetrue 23542300x80000000000000001551690Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:27.033{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3FC4A0B822CFB33CADB8D1434A0DE96,SHA256=873DF4FE5DAD93017FBD87147D6F0E24DD4447E8DC4EABE5B12B9C37568D261A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503806Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:12.733{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49876-false10.0.1.12-8000- 11241100x80000000000000005503810Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:28.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503809Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:28.925{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762EE4B6CDEF858BC6D04AD2D296BDEE,SHA256=FC7541CA9C7568E2C8C623109C73BE387B453915731DED96726BD82DBD141F7Efalsetrue 23542300x80000000000000001551691Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:28.053{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A347D7C7EEB32D0F62E987C4638CF144,SHA256=D5A2D8E383128B325886B5DC1D3C01E7E59ACC84A8ED4B815DEB10949DB05246,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503814Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:29.972{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503813Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:29.972{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BDC4410542D3FF01E875B79CFCB541,SHA256=8AA65B7DF802C7155855F4CBFA6B0F8AE23C58C9A0BA98E243BF6503A3F53D2Bfalsetrue 23542300x80000000000000001551694Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:29.157{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=794B77F26EC5B8BC5511B104BFA2E2C2,SHA256=9BFA36016585489E41D0A3D82D14F379ADF421A7CB37D531AA7F5E062A8EAE72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551693Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:29.156{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62F3E5EFDCFAB3E99C9E9517E7BB09C,SHA256=0176E2C1443CE23179375C62AD65B539576A8B9111AAD62B5C58AE590D428A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551692Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:29.056{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D09FD9DC5A470CCCC92DC9ACCBA9FB8,SHA256=FFEF8DCF6F9849E6C5D0329D6356CBC32665AEF4010EBF68309FD423B5147194,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503812Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:29.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503811Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:29.644{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=54C9A5C03D2D0BBEF32D71F57D944D12,SHA256=81359E41842EAF01386B0928EF67590183994D3F2C125ED39B72BA1CE491ACE8falsetrue 11241100x80000000000000005503818Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:30.987{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503817Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:30.987{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924A03D5365BE88052F3E356AD338C9E,SHA256=563C0C76E79815703A000BB291454124F23E17E68979B05B81124CCA1DF9854Ffalsetrue 354300x80000000000000001551696Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:22.735{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61775-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551695Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:30.059{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A87918766584F39E8465A78F721F44,SHA256=58B1F22391735E27D2C3C42AC737416AA0A421AE1D6F028659ABCBD99681D464,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503816Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:30.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503815Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:30.456{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9C4C1CE4725B5CB7DAD65EF0416AE1C0,SHA256=1CE6EA4E457A1B2C85F020CFAB25C3C7B567F101515966BA60FEDD0AE3A5E45Dfalsetrue 23542300x80000000000000005503823Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:31.951{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7270MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005503822Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:31.950{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-72702021-09-08 19:45:31.949 11241100x80000000000000005503821Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:31.949{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-72712021-09-08 19:45:31.949 11241100x80000000000000005503820Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:31.019{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-09-03 15:30:12.187 23542300x80000000000000005503819Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:31.019{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=64DC9F06EF6F132CA01B856EFDA20436,SHA256=58E43062B28AFC537B8E0F94C1111D3DCCFD7B20AE05885ABB25513FA21F7BA3falsetrue 10341000x80000000000000001551706Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:31.698{AEE49BD1-12DB-6139-C4D0-00000000F101}58806104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551705Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:31.567{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-12DB-6139-C4D0-00000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551704Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:31.567{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551703Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:31.567{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551702Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:31.567{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551701Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:31.567{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551700Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:31.567{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-12DB-6139-C4D0-00000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551699Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:31.567{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-12DB-6139-C4D0-00000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551698Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:31.561{AEE49BD1-12DB-6139-C4D0-00000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551697Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:31.081{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E04850961A7AC64D69D8779B0A78150,SHA256=59A1AD12A5E96DE6D21B98D5B0B8CA7BE70EB0DB0C49A7B08F2C952267F6A1F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005503831Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:32.964{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7271MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 354300x80000000000000005503830Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:18.569{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49877-false10.0.1.12-8000- 11241100x80000000000000005503829Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:32.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503828Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:32.105{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB5FC1E217B56B00A595BE42DF0525D,SHA256=37D10E5201642DF86DD1B25993135411C15B210E425ABA31BEE8EE926D9B516Bfalsetrue 10341000x80000000000000001551726Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.899{AEE49BD1-12DC-6139-C6D0-00000000F101}14962632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551725Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.768{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-12DC-6139-C6D0-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551724Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.768{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551723Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.768{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551722Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.768{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551721Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.768{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551720Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.768{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-12DC-6139-C6D0-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551719Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.768{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-12DC-6139-C6D0-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551718Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.762{AEE49BD1-12DC-6139-C6D0-00000000F101}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551717Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.567{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=794B77F26EC5B8BC5511B104BFA2E2C2,SHA256=9BFA36016585489E41D0A3D82D14F379ADF421A7CB37D531AA7F5E062A8EAE72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551716Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.330{AEE49BD1-12DC-6139-C5D0-00000000F101}322520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551715Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.199{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-12DC-6139-C5D0-00000000F101}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551714Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.199{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551713Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.199{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551712Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.199{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551711Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.199{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551710Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.199{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-12DC-6139-C5D0-00000000F101}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551709Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.199{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-12DC-6139-C5D0-00000000F101}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551708Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.184{AEE49BD1-12DC-6139-C5D0-00000000F101}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551707Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:32.084{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1816ADFB5C0A12C29ACF67A621FF45,SHA256=C9EE63FEF68A3FD74F0991E69BF5F662437D825495F962FBFABBB6E8860ADFED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503827Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:32.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503826Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:32.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92AB69F59445FD1D0E8529CB7181CDC0,SHA256=ED095819FE38B163C402519372DE85C3F22E9195F68EA57EC4BC4A6623EE7E17falsetrue 11241100x80000000000000005503825Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:32.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503824Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:32.042{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD7661F8A142A5C56CFE0311EDD1716E,SHA256=D0DB1837232A9B142E8021878D2AE0D625A8F5B85D5E0B5DD09F2F0482601ED1falsetrue 11241100x80000000000000005503833Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:33.119{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503832Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:33.119{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249EF3F2FA7FF5EDA0155AEC7186F558,SHA256=85B271550AA9BE592A203B52440F34B677889300B8BF22260AE2250ECCE14540falsetrue 23542300x80000000000000001551728Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:33.765{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F704D83F5BDBD4C53A3BF711E481BD4,SHA256=651B9910097A3C057CAF8A011BA25FE1FD1507CA3132836631CEBDA446FF4991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551727Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:33.099{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33543F91268118D4FB60F4D873217C3A,SHA256=6DC4E1F6544AEE589C2970B931FD52CF5446B69C9B53D3C41FFAFF2B2489AA8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503837Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:34.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503836Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:34.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8D074D7BE975E91CBB9053DEB46F2035,SHA256=E4C32A0C448D60315FA0701F32A29F9A408D1F09AECA2E823065BCFBCDBE8DE9falsetrue 11241100x80000000000000005503835Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:34.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503834Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:34.216{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CC3354C745953B8F61ACA77DBF0929,SHA256=D5AB8C7E74F37E1B268A55F9CAB1F2AA9AC4D9A274D0014368B9C92C2E807905falsetrue 23542300x80000000000000001551729Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:34.116{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFF72063198E66009A98466732F8A8D,SHA256=E97BC5EA464D2FEC92D27A1F8B722F0C6D09D55B5420EFD287CA11417168D4E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503841Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:35.528{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503840Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:35.528{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DD23B65E0DD014B8F2FD8B13AC18558B,SHA256=28B895CFBD96A7DD3204B449705E9E982122D2CE444A8AA1F910C989BBA2E489falsetrue 11241100x80000000000000005503839Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:35.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503838Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:35.263{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8D2E5DE9865DE02E90A49CC1F16B15,SHA256=545F2FF01CC6D13B21A63D30284BC708139EC6E6BBED698758C8E9A128B3A4AFfalsetrue 23542300x80000000000000001551731Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:35.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AB081A049B2690C9F57CB720A63146,SHA256=20B4FB8C30731CC97D5F1BDA7F9E6EA164E34FA7B848FD496625739D23FEA187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551730Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:35.119{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6BB12824C39C2B8B3A12A6E2E372D5F,SHA256=A1FC2687D6260AFA0BFDF5E4BF06190F1CA5D4BE86E41D29024D22DA9D21D941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551733Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:36.173{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDC77CCE16C7C4AEACD9742CAA1FC4C,SHA256=24921BA34B07D518A0CC9FE9BE47A28A6F28B662C780EDA15CF67AF93F481FC4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503843Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:36.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503842Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:36.278{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BBEEED218A121807E0398426205C54,SHA256=F44206D9CB09FC6EB03870D52EDF22B23577CA952C13C3739F9A4EF0BA9AFA9Ffalsetrue 354300x80000000000000001551732Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:28.715{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61776-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551734Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:37.223{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD5216C7B09793064EC54997A74E4E8,SHA256=4D56CC6A3B584C0D16A8B3FD6957449BACC60747731C46D3018E3CD80127A7D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503849Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:37.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503848Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:37.294{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60A238314AEDC3A94316AD03DC58964,SHA256=C7E35843D731D698C353132E4E8F717EC06390075E0B8DAEA806D87EA1DE8832falsetrue 11241100x80000000000000005503847Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:37.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503846Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:37.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA49074776AA0BD097DA9B79AE52BC67,SHA256=25E8FBC452DBF2097B552C252E5C004CBC44752C4DC48C43B6D21FF78762CC71falsetrue 11241100x80000000000000005503845Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:37.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503844Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:37.138{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92AB69F59445FD1D0E8529CB7181CDC0,SHA256=ED095819FE38B163C402519372DE85C3F22E9195F68EA57EC4BC4A6623EE7E17falsetrue 23542300x80000000000000001551735Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:38.225{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D54518FA2F6B38FC536CE76B15ACA4,SHA256=C46C44F30712DCB4AC84FD9092B04DF4F4878963F17A9A349C3809B83A1AB0D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503852Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:23.570{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49878-false10.0.1.12-8000- 11241100x80000000000000005503851Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:38.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503850Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:38.309{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5B9860D772DC8EEFE445B251216FF5,SHA256=96A52BB0CB3C9A80DD4E26B80BD0F0A28C65BFF8CA59E1FF51396D1BE6ED2DD7falsetrue 11241100x80000000000000005503856Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:39.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503855Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:39.669{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=75874C173A6ED598E6DDBFFFBA030396,SHA256=AB5A156990F78149CEC79D486F88AABB609AB6962419D807EF381A76EAD23B04falsetrue 11241100x80000000000000005503854Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:39.325{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503853Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:39.325{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E7D3D628C9955020EDE80692B16EED,SHA256=C2CB300631FE716591B73650F270FC947136EDA5C78AA65E7208547377DA9E16falsetrue 23542300x80000000000000001551736Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:39.228{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A40DD5AC75B94492A181CA372355B25,SHA256=97999E0159FFDCCE42AB063C4758E18BB19E4FB80C49554B4DB902419098140F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503860Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:40.528{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503859Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:40.528{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E5921961600F1557B4246A2BA218CCF,SHA256=F49AF3544624839196DE3B0267F0E2D0690999A0EC17D21E148B77EDAB6F46D1falsetrue 11241100x80000000000000005503858Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:40.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503857Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:40.341{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A5CAAA584BA2E1CEE5436854476359,SHA256=2EA415A82274768D60FA99907199F384C0526D8AAA40292BE52C08C1E0312CC0falsetrue 23542300x80000000000000001551737Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:40.230{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92DA3E8AF9FC7B00551FBD89EA4BBBA,SHA256=EED6C75B7AF99F129003352BC1888F79688D4E2964A9978C4C22BFB52C71197B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503862Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:41.356{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503861Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:41.356{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077705E708AD09ECECF57FAFDE05227D,SHA256=3AAB2A837D2D87EBEC6358EF9BD108334EF243309E31017B92BD3FAB086278F2falsetrue 10341000x80000000000000001551748Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:41.431{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-12E5-6139-C7D0-00000000F101}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551747Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:41.431{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551746Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:41.431{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551745Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:41.431{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551744Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:41.431{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551743Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:41.431{AEE49BD1-4159-6132-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AEE49BD1-12E5-6139-C7D0-00000000F101}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551742Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:41.431{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-12E5-6139-C7D0-00000000F101}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551741Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:41.416{AEE49BD1-12E5-6139-C7D0-00000000F101}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551740Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:41.315{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DCBC7ABB5C568F30CE52EDC998A01A5,SHA256=A1F751B19387B04321DEC9A1B14ADFDF1FDE690A7F48240580B76BC8C92A0CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551739Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:41.315{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF6A53DF48430DB3A49933B325455134,SHA256=98975E2F40D07605C349E1E3D9F8533157A72C63F3C46CCE44AE60D260DC7ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551738Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:41.246{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4C9439AFFB31501734DEDEA9F4090F,SHA256=EF8D6C4946268703349275AFEC194E3D4793FF419A1974464E0EA954305E7C24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503867Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:28.601{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49879-false10.0.1.12-8000- 11241100x80000000000000005503866Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:42.372{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503865Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:42.372{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E6680E114D7B77CD6CAFA40351A482,SHA256=7F1823A1C9BADDCF2008568C0BCB35396A25BD084438060DC2F919D59A9B366Bfalsetrue 23542300x80000000000000001551751Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:42.416{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DCBC7ABB5C568F30CE52EDC998A01A5,SHA256=A1F751B19387B04321DEC9A1B14ADFDF1FDE690A7F48240580B76BC8C92A0CF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551750Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:34.698{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61777-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551749Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:42.248{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D800221FD29B26FF766419B8A6F9D21C,SHA256=D28BBB6572C46C76898E0C05C4745484D727622AB9630DF5B0EA4E66B16DF4DC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503864Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:42.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503863Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:42.122{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA49074776AA0BD097DA9B79AE52BC67,SHA256=25E8FBC452DBF2097B552C252E5C004CBC44752C4DC48C43B6D21FF78762CC71falsetrue 11241100x80000000000000005503869Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:43.388{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503868Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:43.388{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C47C39B51EEA6692CABD05C03992C5D,SHA256=B7069A43D16F6341997F08C3BA909E87F39AF452C9E6688FAA98D0A920809782falsetrue 23542300x80000000000000001551752Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:43.265{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8F69E0C923F2467AB9AE46B4CA7AAB,SHA256=5576AE16282F945B8770C181A4CB4BA8A9C199F8B6AB59F3128A120AC6C87C9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503873Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:44.888{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503872Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:44.888{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B4FF95C1BAF9FAD295E140B64EE13430,SHA256=FD666A6FE72D84ACFCD7522C20FDBDA32C22CA1CABD554F0B8CF53C1622FD50Cfalsetrue 11241100x80000000000000005503871Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:44.403{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503870Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:44.403{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D887E7397DB08E0761287DE1376BDBA0,SHA256=B4CE7BCAF1F11412032E604DDC7B89673D5F9B530EC782423E93BECD1A05476Cfalsetrue 23542300x80000000000000001551753Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:44.285{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36591D1144C9015CBF6DC897424EF875,SHA256=724E4E212B466C394EDF2BBB246921ED1CFE9D43ECA61BD29994D7C3D2154227,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503877Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:45.575{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503876Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:45.575{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=38D930A0ACA5676F9C7EDC3DD1CF72F0,SHA256=9EA36976B1BA05638EEDC4C5FD54C3E6D12C15B8A26AB4864829AB71BAC8C8EDfalsetrue 11241100x80000000000000005503875Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:45.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503874Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:45.419{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0155DD8D74032FF2EFF0422F709E762,SHA256=AF887C01BE1689E65B156FE13F6856EE40600B494607CB81D69C8524C71D44DEfalsetrue 23542300x80000000000000001551754Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:45.288{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86EB8611159AF33260DC7B3024C415A,SHA256=33F461D798E2928FFDE00DA6DFAD943EA0CFCD45674CCA0002FD1FBAD73D80DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503879Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:46.434{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503878Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:46.434{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CCB4D14768AD3EB9305F8C2D439C6F,SHA256=4B025A0DA3BB5376FF3204B9728576A602B9DE6F5AB58AB306E739FFE2F21A1Dfalsetrue 23542300x80000000000000001551755Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:46.292{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD74937A439000306B180956B74191F,SHA256=A8D4F6C6950299E66EBA71492AD5FE7EF71D9FACC3F607F7487A586264F5FB60,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000005503885Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:45:47.481{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000005503884Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:45:47.481{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exeHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 11241100x80000000000000005503883Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:47.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503882Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:47.466{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821159D67F0B73FE4D93DC2B2D0E0B88,SHA256=11ED7401C6A1EC75E64476036C2B526AF24055E43BE4B5C60E78BCAC67C73C9Afalsetrue 354300x80000000000000001551759Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:40.639{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61778-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551758Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:47.297{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C2BED5B9AD4C930262C1DAAC57B905,SHA256=2B076491A8D0E64E7F92E1FB9D86E74FC2E068E5105BB9DAD7EAA99B5BCF291E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503881Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:47.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503880Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:47.075{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE48931585C5BBC5691DEDE26129B7D3,SHA256=DB5994F1931B02316623525564298C886B43419560773236319908AFEAC1904Afalsetrue 23542300x80000000000000001551757Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:47.047{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A795E9AEEE5244949D3FBD096DA607C,SHA256=1A4C971DFE186265B9566A4E665174C6163F2E0B94D5C1D8BA9ADDC3C9031ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551756Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:47.014{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\respondent-20210903153805-7261MD5=4FA113A8EC8BBA18406723606DE7CA01,SHA256=9C22C290DE91C7A640873F6751844631BEBCD09BB8AFD0AB97281D346F91CF75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503888Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:48.481{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503887Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:48.481{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AB521129C7FFB90DCCB2E9C4AB72E9,SHA256=CC5DA33E3CAF61E3EC6B621F7146DB2ACCD4861EA5B22D663068EAC7AA99D89Dfalsetrue 23542300x80000000000000001551761Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:48.330{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C059AF82FC354EE3886B85D129C432BB,SHA256=88009E46FBE38C51179A5E83ACB43EA00845B5661B58002EB75DEECC983800FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503886Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:33.601{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49880-false10.0.1.12-8000- 23542300x80000000000000001551760Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:48.013{AEE49BD1-415B-6132-1B00-00000000F101}1836NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0521f3765e7899d6c\channels\health\surveyor-20210903153803-7262MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551762Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:49.332{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E60F88093D4A3023C32762157E356B,SHA256=CD751896FD3CF9764ED17E8AD294E671837AC1C5E9C5898F4A27DD05C81188E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503892Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:49.513{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503891Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:49.513{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2D369A405F7B945BE1D3887F17F855,SHA256=EDB64C5FA153D766C2288637DEAA4F3E69107A16D6D1D558D0CEEA0E78D3809Cfalsetrue 11241100x80000000000000005503890Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:49.481{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-03 15:28:15.623 23542300x80000000000000005503889Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:49.481{4DF467A6-D933-6137-53AF-00000000F001}7044NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36Bfalsetrue 11241100x80000000000000005503900Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:50.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503899Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:50.638{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=511693BE946303EAE4A6A77A82DF4D1F,SHA256=8FDF8A4888B40F9A75BCEB9A348EE82A13919B2162E036FF7D231F01CB08F8A3falsetrue 11241100x80000000000000005503898Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:50.560{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503897Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:50.560{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386D1C8F2CE63F58310F28EEAFA7D758,SHA256=303ADDBF521313A32567476FE23F926DB83B5FFB230B1C9CDE6B25DF997678F0falsetrue 23542300x80000000000000001551763Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:50.350{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E658E361C717D351D79BC31733AA4F4,SHA256=97B0113E2F82DB8D03953ECFB86CD660629EF1241DE35378FA73BC9D2026A318,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503896Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:50.497{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503895Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:50.497{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF55D43DEFE3ADDEE27A75864D69DFBF,SHA256=2ADA719AF1A60B5E50D74383372D6BA99A150F7D58FA0AB485512FF620C7BC2Afalsetrue 11241100x80000000000000005503894Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:50.044{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503893Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:50.028{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E3C2103B5306A09D187AC58DF2CF083,SHA256=C2EDF7CA3AACA50EC20949B53E595FBFDEB4BB33054D1E4CB96CF881F2355A30falsetrue 11241100x80000000000000005503903Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:51.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503902Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:51.667{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CCEFB9EA02377004668895D5D63596,SHA256=E8C38601C3A7411DF4E5F5F3437872197C2153D9BD0632A6E7C8FF69760A6276falsetrue 23542300x80000000000000001551764Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:51.352{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857D371E6BD9BCA49FB40E8F1E24BD38,SHA256=D2BCB98E94EDE6CC1EF9FB98744D37EEDF91F677D5CF8A20666F842CE38D5DF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503901Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:36.960{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49881-false10.0.1.12-8089- 11241100x80000000000000005503907Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:52.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503906Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:52.807{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51054FA943C9CFAB70481EE7696E2A47,SHA256=3CE4CB0BD6FAC62EF2D9B70FA356B19F5722A91D21B8AD68CB5B1CEEB07C9AB4falsetrue 23542300x80000000000000001551767Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:52.354{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34DE814760410C28D5590D634EDAB9D,SHA256=864A948E1D2BF9C26EFF2669C03A4BBB6AABAE1336A22351C1D64177ADAE2196,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503905Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:52.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503904Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:52.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D84F725123370BA8D69B6B6B0C43E48,SHA256=7935FA08B8871F0BEB0AE2EA62E3982E8B2F31E3106AFE9DB6C4847822159863falsetrue 23542300x80000000000000001551766Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:52.153{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E930139429C100A9B90BB20DA42FC89,SHA256=09B284F55ACA4F07D03E4115C8E7F39B6DC9C0254C7915F2C7D9520B629AE270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551765Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:52.153{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF8D0BEA41C56706550896E09F18B939,SHA256=F90339D4E4A283CD97E17DEA6E04CB129F6367885E3D58A241FCADCEB5C61362,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503913Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:53.823{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503912Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:53.823{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0087453B3933E9A58A2136A1DE4AFA,SHA256=60C0028FC0DF9F908FD5B6C5AB0B80380AB24617BC1135B8DFB2826744665C19falsetrue 354300x80000000000000001551769Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:45.751{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61779-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551768Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:53.356{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFEAA8C7809C506B1DE0131B503DF032,SHA256=E952382A3E6D126E8BE8F1F8014E67926A8060B2E269DA134748B0053A451BFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503911Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:53.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503910Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:53.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11B47E0491F0BE61D5A9085AA2CD5FDA,SHA256=2CA7043F89F8235E2B6E634FBED582066E1758F69203290D86E761F34F40F1C5falsetrue 13241300x80000000000000005503909Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-SetValue2021-09-08 19:45:53.323{4DF467A6-1238-6139-BCD6-00000000F001}6444C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-2453051693-1864363570-3931539573-500\SOFTWARE\Microsoft\Office\16.0\Common\Responsiveness\WordBinary Data 354300x80000000000000005503908Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:39.661{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49882-false10.0.1.12-8000- 11241100x80000000000000005503915Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:54.839{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503914Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:54.839{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E89667C44522AD4EE00DBB7CEC5784,SHA256=8ECDA27B114470936893EAE944A51A33DC398F1F0BBA761A4A89DD3FD54E79A7falsetrue 23542300x80000000000000001551770Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:54.358{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED24FDE9EA4094298D7C1EF02E69BD07,SHA256=DE0EF0BF8F9D421EAD281FDF9E1C8CC9F968A26D029025EFC5D407CD2E6284F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503958Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503957Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D125CEBFDD678A2A4060F9E7A9D6797A,SHA256=DC1487DF87E928E559E850698C44BD344BBE254E6AAF10F19119CC49861A995Dfalsetrue 23542300x80000000000000001551803Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.845{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0F078210D4F0A88107E3BB25CD0B1C,SHA256=B7E256328D5450107BC659827959CA8A87DBAEDBCE03C8AA1C03057E9B06A43F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503956Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.714{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503955Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.714{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7A6C31464BA19F11E63913BD58328AAD,SHA256=A169E373F292269BA7881A54BF6A84B431A9169BE4F13F616AD05BB5569018B5falsetrue 10341000x80000000000000005503954Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503953Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503952Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8E7E-00000000F001}1692C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503951Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503950Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503949Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503948Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F505-00000000F001}5064C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503947Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503946Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503945Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503944Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503943Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503942Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503941Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503940Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503939Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503938Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503937Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503936Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503935Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503934Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503933Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503932Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503931Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503930Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503929Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503928Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FD-6136-8C7E-00000000F001}96C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503927Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503926Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503925Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503924Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503923Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503922Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503921Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503920Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-43FE-6136-8D7E-00000000F001}6516C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503919Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005503918Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.464{4DF467A6-3F47-6132-0D00-00000000F001}896916C:\Windows\system32\svchost.exe{4DF467A6-4448-6132-F405-00000000F001}4352C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005503917Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503916Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:55.136{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7262193CFE21ACB99805AE8050B543CC,SHA256=C30F023707560FD297E44552E780F97B034F37F350D4A3F44C66662323CB86B2falsetrue 10341000x80000000000000001551802Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551801Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551800Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551799Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551798Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551797Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-DACE-6138-26CA-00000000F101}5628C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551796Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551795Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551794Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446B-6132-EB02-00000000F101}4804C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551793Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551792Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551791Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551790Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551789Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551788Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551787Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551786Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551785Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551784Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551783Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551782Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551781Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551780Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551779Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551778Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-4464-6132-C502-00000000F101}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551777Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551776Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551775Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551774Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551773Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551772Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551771Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:55.091{AEE49BD1-415A-6132-0D00-00000000F101}788812C:\Windows\system32\svchost.exe{AEE49BD1-446A-6132-E802-00000000F101}4064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005503960Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:56.932{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503959Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:56.932{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF702F2B07CD610E33ABA2E764DF5C53,SHA256=D9B7FC9631AAAFC89D91010590B7B01645F3A3F1087B3943DD70ABEA2DEF5B27falsetrue 23542300x80000000000000001551804Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:56.863{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF97BCFC1DDD034AEAE48252AFFBD32,SHA256=98891CD2AF32D310022541885EB521730D3ADE0AE46D3528726F3C932AD97CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551805Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:57.865{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D379C211AFFAD87F2026A107D067DD7,SHA256=E4F453833DF70CE06C0C46718443DB102261F0D8C39986343CFD96EC87F94F93,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503962Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:57.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503961Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:57.948{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B39804B0BE35BB1A2A7EA2BFE211C4,SHA256=86AC94B8DB23B64AF6B589AA0C03DC5F1EA7EEB0E73D07E7AA1621E96B8261FEfalsetrue 11241100x80000000000000005503964Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:58.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503963Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:58.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C821A2E36112ED4F11A29DE78E046CB5,SHA256=3F84E80545F068D225CB1CC51670B7AA0E944B15BD026D7A3DE8521B658AAA6Afalsetrue 23542300x80000000000000001551808Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:58.882{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4941C24FB1D739B6A7456133BCD538,SHA256=5F19D84BD763DF56D5BB69BEFD7FACC82F4FB59F29149C5902830662C378EA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551807Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:58.215{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ADCC1FC2209A0379B1B0102D3DD35F4,SHA256=4E7818CAB803B846EDF318BF421F2AC963E47885444ADAC5B646C69BE27C0C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551806Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:58.214{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E930139429C100A9B90BB20DA42FC89,SHA256=09B284F55ACA4F07D03E4115C8E7F39B6DC9C0254C7915F2C7D9520B629AE270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551810Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:59.885{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE39FCD3E76E85FDDBB9510AC683B45,SHA256=1E63109FAE42BE61C15FD3E34ED981C8CAE2A69EEF6FAB369C94AF4394934FD4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503971Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:59.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503970Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:59.979{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B4F24D850BA4758217C543C9EEAE921,SHA256=D28E5317E179E9EE5651EDCF72F1B1EE1CF4AB7DD9D7CDB40EAC1F17B4EE97EDfalsetrue 354300x80000000000000005503969Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:45.677{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49883-false10.0.1.12-8000- 11241100x80000000000000005503968Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:59.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503967Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:59.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C7760345967D5834D27373DC30FFB3,SHA256=C4C891F9815D395D35DD0632B22124325B351503F7F8965B363C215FDFB1F4A0falsetrue 11241100x80000000000000005503966Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:59.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503965Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:59.198{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17A504554456FF16C5520FC76DC37146,SHA256=911F86F99A33D7D677514F7AC619A551064CA70FB6B155A71671237BFCBA9435falsetrue 354300x80000000000000001551809Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:51.763{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61780-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551811Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:00.887{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E29DD8C2397EF9A6EA8DC7BBCFC5E9,SHA256=B6B6FB4EC8A777AECBA5D39FC4832CE36A5C836CC0CCF5A7479A975A57AB61B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503975Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:00.776{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503974Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:00.776{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E1A6639F571DE6B0A5A4D56B0FAE3A4A,SHA256=DEF972EBBB8744DB5B0FA2229F7C32F49BFA08F20343927C1D9497D86DC763E6falsetrue 11241100x80000000000000005503973Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:00.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503972Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:00.011{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C6B2DF4EA77584D3CDD3834EED1D36,SHA256=E0CF44EE1E96FA5E596637F26009FF327694A0E38E1D659A1880E03C9479D0C3falsetrue 23542300x80000000000000001551812Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:01.889{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73F7973DF24942277E21849DAA08785,SHA256=BA5CD35ACCC51EB84DBB0B3738A3F445B55EFAF28EE8F9EB65797CD0C34A3BAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503977Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:01.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503976Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:01.026{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D725073B0998715488CF5C7CC002CE1,SHA256=37D548012999465EB0AA58DA87572842E0398137505ED10FC3FC28E45733B7F7falsetrue 23542300x80000000000000001551813Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:02.891{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74392A1D0A2668FEF0B64AD9F63E3A07,SHA256=0C9DB083C9A16DFDFCC778EBFAF91159F23C2D47F1685B039514EDA45F1944F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503979Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:02.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503978Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:02.057{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D34E12F50CC208A0DBF151C2449875,SHA256=707D14B6662C1BAAD6951BA611B9787D497FB36B4545A2235A093AFBA3770817falsetrue 23542300x80000000000000001551817Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:03.894{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D49346DC954FD1C7361DD92B057930,SHA256=85DD3910413C1C81406DE9B3DA4BCC1EF3B270825506237E0105E2E5B1BA31D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503981Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:03.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503980Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:03.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BF3C900F4AB93531262C0F2F531320,SHA256=266624357878095E96DB63521F984DA966591C9CF6F6D9DE9730D158EC8110A4falsetrue 354300x80000000000000001551816Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:45:56.821{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61781-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551815Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:03.226{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=773C01A1B0580CA12D05CE5044D9BE4F,SHA256=E3EDC9406FFE020CB585EC7E319F826B92A7786B1853543FA06246E1D9EA5186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551814Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:03.225{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ADCC1FC2209A0379B1B0102D3DD35F4,SHA256=4E7818CAB803B846EDF318BF421F2AC963E47885444ADAC5B646C69BE27C0C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551818Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:04.896{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1EC6B9A6CBD45E7976690DD3A8D8B4,SHA256=814AB5963FED7DB6B335C3086A805A37CB2CC8380B0BB448607A59334E09C9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005503988Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:50.708{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49884-false10.0.1.12-8000- 11241100x80000000000000005503987Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:04.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503986Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:04.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=559C5A9AE6FDD5FB44CEDD0F9F236446,SHA256=50FAD95C43A1941BEA7BEC113F9FB7D989558BBDC9D4D58A8376E2C2C5587FCBfalsetrue 11241100x80000000000000005503985Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:04.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503984Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:04.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C7760345967D5834D27373DC30FFB3,SHA256=C4C891F9815D395D35DD0632B22124325B351503F7F8965B363C215FDFB1F4A0falsetrue 11241100x80000000000000005503983Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:04.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503982Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:04.104{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875C84EF4C4E5F65A9417456A6BA9337,SHA256=60BFF4AF6B4B2C618219489855F01DA1C9BC72DBBCD7CA9981857F1999FFBB27falsetrue 23542300x80000000000000001551819Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:05.897{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E594EF81A930DBA3B306CE2966EE4397,SHA256=DCE4984BA5BE541077119C65D29A85FDD500652222F5D7C972A3FB38EBFCBAD0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503994Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:05.870{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503993Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:05.870{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=81C249334D2497F1649406CA344C02A3,SHA256=6351A5FFDEC7DFA4829351317F32BC5720D3961D3AC899AAAC5DEE2CB4A29DC0falsetrue 11241100x80000000000000005503992Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:05.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005503991Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:05.229{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EEC5D9BF67B32E8E5FDDDF624B5D66A0,SHA256=B15C5E1C733FCB440A7A44857F17F930B3F67FB82AF5EF2FC8CADE96E44DF807falsetrue 11241100x80000000000000005503990Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:05.214{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503989Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:05.214{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B10B230E707288919FDBB599AA82BE,SHA256=4BC52D1DCF90919FF91D89516887F941CF5D59DB1B020EE31F6A0DF14F032126falsetrue 23542300x80000000000000001551821Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:06.900{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B657504D3AEB9B46DD58EE60800C75,SHA256=8F7BE8A701598FCB2D5A0DF73E391A1F7F428F21B24C30720CE04BEC3F4B2B09,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005503996Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:06.432{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503995Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:06.432{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FAF067D59B8086AE03909E70B1C4E31,SHA256=C4A55C985204C11CB3883DB879B944C9D108EC8FFBF1248911615AD9F0BF7ADDfalsetrue 23542300x80000000000000001551820Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:06.652{AEE49BD1-415A-6132-1100-00000000F101}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7D27A1BC8C4C7889769A77A1FF9B22EF,SHA256=A9D559F84543C85F63803B7FC9EDB63F351B2BAC2228540FC89F55B3A597DC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551822Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:07.901{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA4571FCBC7177A380B50ACD6127C5D,SHA256=C10A1E0A4C4F50EBAA6ABDCCA27235C14350C3AB37357784BB1D7F12EA83ADD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504000Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:07.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005503999Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:07.542{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927EFC4CFA224E6EC94F8852D06B72DF,SHA256=237E361B691092ACB8459ED91A3FEA2FA92CCD955417F5A038E52B3A6590A7E4falsetrue 11241100x80000000000000005503998Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:07.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005503997Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:07.073{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=559C5A9AE6FDD5FB44CEDD0F9F236446,SHA256=50FAD95C43A1941BEA7BEC113F9FB7D989558BBDC9D4D58A8376E2C2C5587FCBfalsetrue 11241100x80000000000000005504002Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:08.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504001Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:08.573{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C186BC408868967F02AECF23DB11E8,SHA256=038F8A7E03A496BB083E10E9C37E931EA36585B61B8B51B88D0E0FBC2265E7B1falsetrue 23542300x80000000000000001551823Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:08.903{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00842DA646D300CE812D114CC5AE0E2,SHA256=1CF6E9B2ED6F9DF29043595641B587AE4606331DF67AC0F2EB1FC2C3168EB195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551826Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:09.905{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3F496A05FB935E42F8D28846D9806A,SHA256=22EE26436D1C69AA4D0C9F7DCC6EB865FD4535CF1CA99CDFA6E804139F40B568,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504004Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:09.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504003Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:09.604{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D62427D868EA3FFC0B0D3F3301C38B,SHA256=4B3EABDD6E997847F50A6393B81FF80994DB59C60F2946C8040E7C3565A1F1D9falsetrue 23542300x80000000000000001551825Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:09.071{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E082D4345DCB25EF6FC8EF849A496F3,SHA256=6EE7DBB0B2F226A769C7BDE4D96E88523B63F7F7F50FE0BDD378E92722400810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551824Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:09.071{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=773C01A1B0580CA12D05CE5044D9BE4F,SHA256=E3EDC9406FFE020CB585EC7E319F826B92A7786B1853543FA06246E1D9EA5186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551828Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:10.906{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710F24A38DE62F3EF19CF6A1A59450C4,SHA256=C10C339C51E6746FBC4D8FEE1A43BA1BB6FC6213AFDB19E4A39A81D7C805D652,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504012Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:10.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005504011Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:10.901{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F0D1D6C0E8DD0A21902B254161D2E029,SHA256=A420EB920AABB1B71E4160D9A839659DA49593BD9CA872C24CCC0D4A597914F6falsetrue 11241100x80000000000000005504010Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:10.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504009Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:10.620{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F090B4206208DDFA2A5611482D6CC635,SHA256=B25B606A1174AC122297169C80EA61368FA6F6FA5A8C160CECB408B05BD6D14Ffalsetrue 354300x80000000000000001551827Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:02.653{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61782-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000005504008Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:10.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005504007Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:10.323{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2193F2E16287306E1216E4CFDF174DC,SHA256=DD60CB43AD656DBAC3A865C0AEAA9B4BD58456A2BD50662C5EAE313DC5795E1Efalsetrue 11241100x80000000000000005504006Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:10.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005504005Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:10.058{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C10F37ED9AE4E44866C56314B853D658,SHA256=3642F057981C955CB794218C44BDFDF27270C2F5A4B1549BC95B7E949A4D47D1falsetrue 23542300x80000000000000001551829Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:11.907{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7192C86C82025FA4E602B74DF2AE51C,SHA256=F4354C10021CCED17C3772A34B9B63AEEBA0C629E7B4C8263041CD445251694F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504017Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:11.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504016Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:11.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC1337DC447A8A0E7C4A5FE197639B5,SHA256=AC193D3F6E8920FB0D1275912B99ACC25BBBA66C7100A679877B13B111C8ED9Bfalsetrue 12241200x80000000000000005504015Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:46:11.311{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000005504014Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreateKey2021-09-08 19:46:11.311{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x80000000000000005504013Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:56.739{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49885-false10.0.1.12-8000- 23542300x80000000000000001551830Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:12.946{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62BE1DF4314CCCF12706F3AFC4E7E03,SHA256=9B175DA5E9B2DA9B42DB3A72015C1264681680D1A3BF3303B3BF554CC68D3427,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504021Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:12.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504020Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:12.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9870619D253CAB0E79C82CE965E81004,SHA256=D3BACE445ACE71340F6C7BBB84DED042926AC43DC6BF3E964F26BCE3961CB7A8falsetrue 11241100x80000000000000005504019Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:12.171{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005504018Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:12.171{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DADBFEA2ADF3C0AFD275433AA87517FE,SHA256=C1198497238FE8700E41E0CAE876CF5E5DB059F6B7C4A7905F7460AD649D4E62falsetrue 23542300x80000000000000001551831Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:13.966{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B31EE0E972D66E01F44CAF904772F9,SHA256=ED65EE2E19D4C70082E3D30CC161BD9E72C621370FA76E27BB8352A13251CF98,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504025Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:13.702{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504024Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:13.702{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22BCC953499DB16B9F6FAB14C328390,SHA256=8F857AA1BD610979BC4C3772E7B3130CFC2C057E4A5A4F5BCD5FBBA142BE6D8Dfalsetrue 354300x80000000000000005504023Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:58.806{4DF467A6-3F46-6132-0B00-00000000F001}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49886-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 354300x80000000000000005504022Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:45:58.806{4DF467A6-3F58-6132-2800-00000000F001}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-291.attackrange.local49886-true0:0:0:0:0:0:0:1win-dc-291.attackrange.local389ldap 11241100x80000000000000005504027Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:14.858{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504026Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:14.858{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB1CE5A9D9365F7B54F4D761795398B,SHA256=A26083005014534D666F98A8B88D3920B9C709A6474E16BB4F619752E2C215F6falsetrue 23542300x80000000000000001551834Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:14.929{AEE49BD1-41F0-6132-A300-00000000F101}3384NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C1B08425A691FD8F9D8F8FC8AC47949,SHA256=6E2AE5345311729EE605A563A000465A331DC7A411F38937CFD100C63CECC36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551833Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:14.148{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D85D978F3AA8B6EC8B5C03302DC7B95,SHA256=9B0D95CE45509B760B6F69278B069F33B0D7F3DE047178B822885E829857ACD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551832Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:14.147{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E082D4345DCB25EF6FC8EF849A496F3,SHA256=6EE7DBB0B2F226A769C7BDE4D96E88523B63F7F7F50FE0BDD378E92722400810,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504033Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:15.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005504032Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:15.936{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6A67901529EB4B9C81808176399E5B06,SHA256=0E49223372E2AA891C83EFC4089A5ADF42BFE3E989B02E984268B853EFB39047falsetrue 11241100x80000000000000005504031Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:15.874{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504030Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:15.874{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F7BE740CB4325841F7E3BB5D4848FEA,SHA256=2020FB773C4F15393AF2F6F5686DB661005F336F0DF31ECF17C641AFC912D818falsetrue 11241100x80000000000000005504029Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:15.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005504028Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:15.124{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=825EBE4E53D095A5049671B3EB0CA7A3,SHA256=6F5398D4C1879EC0CFE860A7EFD75434B9CEB7BB689AEC6445F927CEE46BBBF8falsetrue 23542300x80000000000000001551837Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:15.915{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D85D978F3AA8B6EC8B5C03302DC7B95,SHA256=9B0D95CE45509B760B6F69278B069F33B0D7F3DE047178B822885E829857ACD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551836Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:07.725{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61783-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551835Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:15.014{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBBF34A8D4855B1661651BE9E922624,SHA256=E126B4E8523B4FAF8212272423206CE81F0EAF06D6AE4A63005CB9545A7D2C9F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504037Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:16.890{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504036Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:16.890{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507A8A9C5D9B3182C83E7C2BED74B286,SHA256=087CB5F9AE4FA7C0C4342AA8BB6BEA482CB400896B76E67388DF31FB70AB6BE5falsetrue 11241100x80000000000000005504035Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:16.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005504034Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:16.108{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67365293347271FE158E2C180FEBA38D,SHA256=64D471A2523C5D8E2A2B65A3ED79CACF435B9F05137FF08A6E913B5ED60BF10Dfalsetrue 10341000x80000000000000001551848Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:16.870{AEE49BD1-1308-6139-C8D0-00000000F101}18525428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551847Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:16.751{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1308-6139-C8D0-00000000F101}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551846Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:16.750{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551845Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:16.750{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551844Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:16.750{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551843Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:16.750{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551842Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:16.749{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1308-6139-C8D0-00000000F101}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551841Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:16.749{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1308-6139-C8D0-00000000F101}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551840Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:16.733{AEE49BD1-1308-6139-C8D0-00000000F101}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001551839Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:09.513{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61784-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001551838Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:16.015{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6545E59999BCCCE5E90345CC0D85831,SHA256=10F4D90A951013475DFAD341A0E857671D7C44EFBA875EA17DDB8B00CE6D7894,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504040Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:17.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504039Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:17.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FF433BFA44B27F434C145E22F24038,SHA256=F2EEA4BDD0BD0A7430E462F4ED637E5FEE1441090B2B4BEB03861EF8ECEE2401falsetrue 23542300x80000000000000001551858Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:17.751{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8426AAE2514AED7967901CF2D5ED7B48,SHA256=C05C82A1A2B9DEC49124F6D43431D9E2609706FB79E91F282B5FB95CBFF4EAFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551857Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:17.433{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1309-6139-C9D0-00000000F101}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551856Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:17.433{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551855Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:17.433{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551854Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:17.433{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551853Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:17.433{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551852Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:17.433{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1309-6139-C9D0-00000000F101}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551851Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:17.433{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1309-6139-C9D0-00000000F101}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551850Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:17.418{AEE49BD1-1309-6139-C9D0-00000000F101}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551849Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:17.016{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81960668753E8C9C2C18BD4EB3A5279,SHA256=B05309BA68737EF970924022A2DF315471727C40CF32D87A904F1CF1BF316C20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005504038Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:02.508{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49887-false10.0.1.12-8000- 11241100x80000000000000005504042Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:18.921{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504041Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:18.921{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C115E59F0F83E0454A537F50D0DD4B9C,SHA256=77D335F5F0B453DD192729B58628CE61800DC54E52B9755780791FDEAAE328E8falsetrue 10341000x80000000000000001551867Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:18.132{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-130A-6139-CAD0-00000000F101}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551866Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:18.132{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551865Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:18.132{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551864Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:18.132{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551863Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:18.132{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551862Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:18.132{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-130A-6139-CAD0-00000000F101}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551861Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:18.132{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-130A-6139-CAD0-00000000F101}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551860Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:18.117{AEE49BD1-130A-6139-CAD0-00000000F101}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551859Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:18.052{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E167B5F756B9367D13C6C49CB0E815,SHA256=E0213C65FE82718D4B7643945C7695E777D2C08B14618D56E048A558FE0125F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551869Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:19.118{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A99882ED47F44CB3B1F6858C1380D7,SHA256=07AA1330A57D52820FA4980C48208C92E5EEC7B850992154366C64553A7D5930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551868Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:19.056{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D731B2128541542D530B4D524F0775,SHA256=0A47F2BDD601011150DE9D0F60CA9CF6B74E2707B615CA227422426C74BCB8A2,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005504153Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.890{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005504152Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005504151Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005504150Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005504149Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005504148Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005504147Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005504146Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005504145Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005504144Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005504143Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005504142Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005504141Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005504140Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005504139Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005504138Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005504137Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005504136Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005504135Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005504134Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005504133Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005504132Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005504131Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005504130Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005504129Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005504128Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005504127Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005504126Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005504125Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005504124Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005504123Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005504122Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005504121Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005504120Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005504119Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005504118Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005504117Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005504116Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005504115Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005504114Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005504113Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005504112Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005504111Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.874{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005504110Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.858{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005504109Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.859{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005504108Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:19.858{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504107Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:19.858{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504106Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:19.858{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504105Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:19.858{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504104Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:19.858{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504103Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:19.858{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000005504102Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.327{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005504101Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.327{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005504100Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.327{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005504099Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.327{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005504098Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005504097Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005504096Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005504095Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005504094Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005504093Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000005504092Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005504091Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005504090Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005504089Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005504088Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000005504087Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005504086Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005504085Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005504084Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005504083Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005504082Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005504081Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005504080Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005504079Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005504078Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005504077Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005504076Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005504075Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005504074Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005504073Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005504072Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005504071Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005504070Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005504069Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.202{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005504068Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005504067Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005504066Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005504065Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000005504064Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005504063Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000005504062Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005504061Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000005504060Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005504059Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005504058Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005504057Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000005504056Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005504055Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005504054Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005504053Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005504052Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000005504051Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005504050Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.186{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005504049Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.172{4DF467A6-130B-6139-DED6-00000000F001}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005504048Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:19.171{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504047Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:19.171{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504046Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:19.171{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504045Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:19.171{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504044Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:19.171{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504043Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:19.171{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000001551871Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:12.747{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61785-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551870Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:20.073{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89638955617A1E9A088A5B9BBEA9ACDF,SHA256=167DB07A467F5058CB11BB97F68D8ABCDE06030F0272469E8D47BFE92538D23E,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000005504223Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.530{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005504222Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.530{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005504221Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.530{4DF467A6-130C-6139-E0D6-00000000F001}55925892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005504220Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.530{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005504219Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.530{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005504218Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.421{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005504217Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.421{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005504216Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.421{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005504215Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005504214Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005504213Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000005504212Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005504211Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005504210Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005504209Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005504208Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005504207Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005504206Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005504205Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005504204Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005504203Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005504202Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005504201Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005504200Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005504199Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005504198Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005504197Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005504196Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005504195Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005504194Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005504193Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005504192Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005504191Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005504190Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005504189Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005504188Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005504187Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005504186Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005504185Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005504184Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005504183Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005504182Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000005504181Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005504180Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005504179Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005504178Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005504177Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005504176Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000005504175Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005504174Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.405{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005504173Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.390{4DF467A6-130C-6139-E0D6-00000000F001}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005504172Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:20.390{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504171Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:20.390{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504170Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:20.390{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504169Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:20.390{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504168Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:20.390{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504167Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:20.390{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005504166Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005504165Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.343{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D320B204AF8EAF9FAABE0A133D5ADB4B,SHA256=655C185CAD91222A9B43350AA37C79B1633715EDE96339C4C4BA66D425D933AFfalsetrue 11241100x80000000000000005504164Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.327{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504163Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.327{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C4BAD5558F0933DEF12D6EE9325B4E,SHA256=F7B3F69D70142064709FB7D35C0E5900A6302767BD4DCBEACB8C018F5CCC4CC5falsetrue 11241100x80000000000000005504162Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504161Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E103D5B555116F05ED68D459B3594A17,SHA256=3374FB447838D7CF55E23CEB828CC076F2930E37961105B74FD2BDA0CC387A39falsetrue 11241100x80000000000000005504160Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005504159Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:20.311{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45ECB2AECEC7E45CFFBABA5AED4D4AC1,SHA256=724636A8764546205B6B0F502C575CD8950D8C62992E4CB48698C00A87702F82falsetrue 534500x80000000000000005504158Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.999{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005504157Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.999{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005504156Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.999{4DF467A6-130B-6139-DFD6-00000000F001}80166872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005504155Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.999{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005504154Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:19.999{4DF467A6-130B-6139-DFD6-00000000F001}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 534500x80000000000000005504344Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.765{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000005504343Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.765{4DF467A6-130D-6139-E2D6-00000000F001}14285100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005504342Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.765{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005504341Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.765{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000005504340Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504339Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.671{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FD033B09EA60764C9C038017D70B6A,SHA256=660234FCCFC3B22833CCAC3A742C0DD5F1242E1C8B1C29DA7B605EAB1C502944falsetrue 734700x80000000000000005504338Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.655{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005504337Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.655{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005504336Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.655{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005504335Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:21.655{4DF467A6-130D-6139-E2D6-00000000F001}1428\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005504334Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.655{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005504333Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:21.655{4DF467A6-130D-6139-E2D6-00000000F001}1428\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000005504332Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005504331Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005504330Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005504329Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005504328Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005504327Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005504326Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005504325Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005504324Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005504323Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005504322Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005504321Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005504320Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005504319Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005504318Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005504317Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005504316Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005504315Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005504314Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005504313Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005504312Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005504311Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005504310Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005504309Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005504308Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005504307Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005504306Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005504305Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 13241300x80000000000000001551882Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:46:21.637{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001551881Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:46:21.637{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1aa33681) 13241300x80000000000000001551880Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:46:21.637{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4e1-0xd10199ca) 13241300x80000000000000001551879Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:46:21.637{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4ea-0x32c601ca) 13241300x80000000000000001551878Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:46:21.637{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4f2-0x948a69ca) 13241300x80000000000000001551877Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:46:21.637{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001551876Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:46:21.637{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x1aa33681) 13241300x80000000000000001551875Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:46:21.637{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7a4e1-0xd10199ca) 13241300x80000000000000001551874Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:46:21.637{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7a4ea-0x32c601ca) 13241300x80000000000000001551873Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-SetValue2021-09-08 19:46:21.637{AEE49BD1-4159-6132-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7a4f2-0x948a69ca) 23542300x80000000000000001551872Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:21.074{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF25F9FB5C89B1721ED925D9A11DDC2B,SHA256=C8BC5791F6476DEACA4E91330FA19A11916DE15370F42C158F4F55D3685EA0AA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000005504304Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005504303Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005504302Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005504301Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005504300Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005504299Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005504298Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005504297Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005504296Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000005504295Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-3F46-6132-0500-00000000F001}412428C:\Windows\system32\csrss.exe{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005504294Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.640{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005504293Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.625{4DF467A6-130D-6139-E2D6-00000000F001}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005504292Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:21.624{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504291Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:21.624{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504290Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:21.624{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504289Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:21.624{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504288Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:21.624{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504287Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:21.624{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005504286Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.593{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005504285Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.593{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F68FBF2FFFD5FE12A1D87752CD698F90,SHA256=3C1BCC647E30FD4ECD085C0E6378F5593671394FB3133200A026B6FF40EFFE95falsetrue 354300x80000000000000005504284Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:07.664{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49888-false10.0.1.12-8000- 11241100x80000000000000005504283Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.483{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504282Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.483{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC55DE27BA2284F9B0725621CFE6745,SHA256=3BEFF73C235897D65D8E250DCBBB217B684F6D1D99B2349468B73F1D9841AB13falsetrue 534500x80000000000000005504281Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.218{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005504280Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.218{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000005504279Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.218{4DF467A6-130D-6139-E1D6-00000000F001}51727348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005504278Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.218{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005504277Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.218{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005504276Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.108{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005504275Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005504274Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005504273Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005504272Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005504271Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000005504270Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005504269Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005504268Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005504267Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005504266Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005504265Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005504264Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005504263Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005504262Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005504261Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005504260Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005504259Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005504258Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005504257Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005504256Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005504255Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005504254Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005504253Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005504252Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005504251Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005504250Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005504249Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005504248Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005504247Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005504246Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005504245Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005504244Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005504243Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005504242Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005504241Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005504240Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005504239Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005504238Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005504237Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005504236Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005504235Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000005504234Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.093{4DF467A6-3F46-6132-0500-00000000F001}412380C:\Windows\system32\csrss.exe{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005504233Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.077{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005504232Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.078{4DF467A6-130D-6139-E1D6-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005504231Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:21.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504230Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:21.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504229Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:21.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504228Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:21.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504227Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:21.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504226Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:21.077{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005504225Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.015{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005504224Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:21.015{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7B4B16406B18B8CFED336398769E7CED,SHA256=08BDC21285794614BF59910467348255098A16F71980D5185A0A98A246733A17falsetrue 154100x80000000000000005504411Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.984{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000005504410Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:22.983{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504409Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:22.983{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504408Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:22.983{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504407Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:22.983{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504406Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:22.983{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504405Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:22.983{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000005504404Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005504403Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.640{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D44F9C44486FD51CD9773C9B9700B3,SHA256=85477A434752540EE27F00842E0640146D5A07F77FD43529AA7E1D5B5FFDEDCEfalsetrue 534500x80000000000000005504402Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.436{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005504401Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.436{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005504400Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.436{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005504399Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.436{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005504398Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.327{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005504397Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.327{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005504396Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.327{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005504395Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:22.327{4DF467A6-130E-6139-E3D6-00000000F001}6960\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005504394Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.327{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005504393Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000005504392Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005504391Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005504390Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005504389Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005504388Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005504387Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005504386Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005504385Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005504384Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005504383Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005504382Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005504381Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005504380Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005504379Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005504378Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000005504377Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005504376Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005504375Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005504374Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005504373Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005504372Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005504371Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005504370Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005504369Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005504368Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005504367Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005504366Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005504365Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005504364Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005504363Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005504362Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000005504361Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x80000000000000005504360Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005504359Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005504358Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005504357Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005504356Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000005504355Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005504354Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.311{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000005504353Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.298{4DF467A6-130E-6139-E3D6-00000000F001}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4DF467A6-3F46-6132-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{4DF467A6-D933-6137-53AF-00000000F001}7044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005504352Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 18141800x80000000000000005504351Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:22.296{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504350Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:22.296{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000005504349Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:22.296{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504348Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:22.296{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000005504347Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.296{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E8194C69F991DD86B742D027CAF59A,SHA256=5DEA889A3AB37CE4606F503C363BFD5A9296BB9B7FC83FC94BE30B6F0BDCED72falsetrue 18141800x80000000000000005504346Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:22.296{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000005504345Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-CreatePipe2021-09-08 19:46:22.296{4DF467A6-D933-6137-53AF-00000000F001}7044<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001551883Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:22.076{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF05D862FC4BB55E2BB84AB4E4D569DF,SHA256=71C59362A3715811922D795C0ED9B7EBACEBB9E422446319B0BE3772181F6219,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504464Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504463Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C49D9B105DC81374E887076FC06304,SHA256=F9C3AA9FA7991CE1F6E050E2E2738D1FD5E5F013803AE34F512202D349E8784Cfalsetrue 23542300x80000000000000001551884Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:23.078{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF24F7FB8CED3ACE4C64508A0445F908,SHA256=5D3042388304AB02FC692D12AFC75686BE22B7F36DECFC233B8CAE890A560A21,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504462Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504461Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.280{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DF54A463C9BF4B4182FFC00B24A948,SHA256=51A61628897CE231D618A23D51E94B62A37042BE4636DAD9B9EDA38471B18DA3falsetrue 534500x80000000000000005504460Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.124{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005504459Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.124{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000005504458Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.124{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000005504457Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.124{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000005504456Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.015{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000005504455Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.015{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000005504454Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000005504453Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005504452Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000005504451Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-ConnectPipe2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000005504450Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000005504449Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000005504448Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000005504447Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000005504446Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000005504445Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000005504444Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000005504443Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000005504442Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x80000000000000005504441Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000005504440Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000005504439Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000005504438Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x80000000000000005504437Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000005504436Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000005504435Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000005504434Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x80000000000000005504433Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000005504432Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000005504431Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000005504430Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000005504429Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000005504428Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000005504427Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000005504426Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x80000000000000005504425Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000005504424Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000005504423Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x80000000000000005504422Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x80000000000000005504421Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000005504420Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000005504419Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000005504418Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-D934-6137-57AF-00000000F001}54486556C:\Windows\system32\conhost.exe{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000005504417Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000005504416Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000005504415Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x80000000000000005504414Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000005504413Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.999{4DF467A6-3F46-6132-0500-00000000F001}412528C:\Windows\system32\csrss.exe{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000005504412Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:22.983{4DF467A6-D933-6137-53AF-00000000F001}70441372C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4DF467A6-130E-6139-E4D6-00000000F001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000005504468Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:24.390{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504467Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:24.390{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6327D6DF6FD12E23D90C2E562D499D1,SHA256=0CB3457804979692489F1A4236727A7475C690757F928298DAFAAB4C0F176DAEfalsetrue 23542300x80000000000000001551887Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:24.242{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF08CA14961F54D156B2A57970474841,SHA256=4376363EA9A94AF703421945F468353578207DF9B1130B8088F45BB4156FE663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551886Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:24.242{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6645ADB811674DB038FB8A8F15123D55,SHA256=779B5896D205FE235889058206B5D67DFBEDD5AA67DAE7B85C753CE49996861A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551885Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:24.080{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94392679AF0F4C2E6B24CBDE991978CE,SHA256=D386465C1137CD2CD1997068AEBE7BC93C16F07C0ECCF030850596F70D0F5542,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504466Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.999{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005504465Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:23.999{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE85053AD9FA661E92BF7167C05FFA24,SHA256=50A31028D9EE94C215282EA7F07BFAED409F9ED3A00E4583EC2E5C258EFF60A1falsetrue 11241100x80000000000000005504472Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:25.686{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005504471Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:25.686{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9840FAB979074CC49B2D283E107C1DEB,SHA256=FA996D88C5379688E441C1F03A9A4190FF33427E828F70076A38E8F653C90ABFfalsetrue 11241100x80000000000000005504470Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:25.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504469Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:25.655{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB5DEB444AC6ABED0BD27851B832B61,SHA256=B4F3F84BFCBD90FBC83382C2F6085BFF6996C939BCE676C3D02754FB1B225839falsetrue 354300x80000000000000001551889Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:17.839{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61786-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551888Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:25.097{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B22661D8FDFA2BC84703B3F8E8F95A,SHA256=2E7138ABA546EC2FF269A94607E7A33BC424273420A556F31DB25713B778F063,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504479Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:26.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504478Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:26.780{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9360B5FBCB78F81D3EF24B78B5320EF8,SHA256=3B01D6C26B27D2F70735F1E9371E1B3F325C2F614F6B8E2B7F117DE6FDB97041falsetrue 23542300x80000000000000001551890Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:26.164{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9510F2D625FFB39547F1FDE1CC625B35,SHA256=A58236B611696993C6FB73F9966EF590E301372F4985AAD581C635909C94F27C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005504477Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:12.664{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49889-false10.0.1.12-8000- 11241100x80000000000000005504476Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:26.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005504475Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:26.218{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA73344302A3A81657A545B8078EDEC0,SHA256=525CBECCF946E2BC55D7194827E38BF9FC62A1677130AACAE382A9899424505Dfalsetrue 11241100x80000000000000005504474Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:26.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005504473Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:26.093{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=03B6606175589F3428312CC9711D36E0,SHA256=98AAD7BF33ADAE93C414BFCCEC81B2099EC16B0C3504C6B48FE20D5827DCB850falsetrue 11241100x80000000000000005504481Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:27.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504480Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:27.796{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51921C9B3A047948F91BEAA83F54B27,SHA256=D40DB26573245ACF6CFE1977288FE2DF47151CDC8B7EFFCAE38583AAE8DDB924falsetrue 23542300x80000000000000001551891Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:27.168{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A88DFC146DC6DDAB870553650E45702,SHA256=EBDA4E492C4C319885328DEBF155B292627ECB42E57303703175527A9BE8D4FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504483Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:28.827{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504482Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:28.827{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C9D962221CE3DA25D77A188BFB1FD5E,SHA256=14A6231AC69D8805551122ECA81E45073C55538CF97EB1927D42CC6EDEA2992Afalsetrue 23542300x80000000000000001551892Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:28.173{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08016923D025024C830BBBD1409D9E3,SHA256=663810C45668F96AB465198734B34755A5C3393EF2163959F94ABEC2D88C126E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504485Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:29.874{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504484Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:29.874{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B032758F6ED0AF3D58A192D8C76A9830,SHA256=B9DFECFE873FADDCC196815E5EFDDB0E4F0088A69C460D16FC2CB0727DE681EAfalsetrue 23542300x80000000000000001551893Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:29.207{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294430234DAF4FCB694A2D19C516D034,SHA256=7CEABA3A69352956B4CF64DC755BA7E51DFA76249ADCCC8C0E1AB00AF462B561,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504489Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:30.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504488Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:30.905{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D9CA7CCED60F0D8F06C5F5D3AD37CD,SHA256=BB723F13CDA28937A96F0CE917D4DF363815CBFB93FC908E2A399D20EDDBC3F4falsetrue 354300x80000000000000001551897Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:23.790{AEE49BD1-41F7-6132-D100-00000000F101}3472C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-296.attackrange.local61787-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001551896Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:30.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7AC871130FFBF2FC36E5FFFC379EA72,SHA256=D9E7E19D6ED6C3BF0D38B50D8E1C3F6075DB9D52274245E8653A7512E6411724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551895Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:30.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935E9C88F77167CEF7BBCDE00147E5A6,SHA256=AFE7D26E86678CA0B4AAF9701E184F561FC1E1F9561882041FC44EA67989AF80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551894Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:30.209{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF08CA14961F54D156B2A57970474841,SHA256=4376363EA9A94AF703421945F468353578207DF9B1130B8088F45BB4156FE663,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000005504487Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:30.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005504486Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:30.374{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AC6D34E4D70823AC592ADABC69A3FF27,SHA256=C293EC680F8104BC600B2818EA369BC475D6965F43B9C56D8769E5BEC3E4DF3Dfalsetrue 11241100x80000000000000005504500Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:31.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504499Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:31.910{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A0189748E9CBFFF4B2DF3D329E5CC2,SHA256=628555E6ABBF9249515625B5D0CBADD3C693905EAD81607A5D0A886219EEF78Dfalsetrue 10341000x80000000000000001551908Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:31.643{AEE49BD1-1317-6139-CBD0-00000000F101}2924956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551907Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:31.528{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1317-6139-CBD0-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551906Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:31.528{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551905Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:31.528{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551904Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:31.528{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551903Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:31.528{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551902Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:31.528{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1317-6139-CBD0-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551901Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:31.528{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1317-6139-CBD0-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551900Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:31.513{AEE49BD1-1317-6139-CBD0-00000000F101}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551899Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:31.275{AEE49BD1-DACA-6138-1CCA-00000000F101}4976WIN-HOST-296\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\g42kcjnd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=DFDC9E6584A14E92B911E7CAD63DE27C,SHA256=7B84E6B9AFF4C1D7ED9733D5A410182DD51676699E756FAD7621DAB792FD53B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551898Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:31.228{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D677522B0A0F4C96B658EFBF7766A9,SHA256=FF8480D1C3EB5499CDD14B5DD5EC52BAB797A0A07A03EEB6EE65DB2E70491907,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000005504498Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:17.727{4DF467A6-D939-6137-81AF-00000000F001}4208C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-291.attackrange.local49890-false10.0.1.12-8000- 11241100x80000000000000005504497Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:31.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005504496Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:31.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B587338C639B77BC4B7C1F32384A550B,SHA256=6F814237C478F1626E2360C9A5C48A15055945B1419881006F861FD667023A3Dfalsetrue 11241100x80000000000000005504495Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:31.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-03 15:27:39.769 23542300x80000000000000005504494Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:31.457{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C94FA3F08F0EE3A4D1E5BCBD23C9C2BD,SHA256=98A170A184A0C467B54A0E090F2131B6C8F42B870326740882783F47A225F948falsetrue 11241100x80000000000000005504493Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:31.113{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-03 15:27:39.754 23542300x80000000000000005504492Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:31.113{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C107166608E9A982BEA57B4715CE36C2,SHA256=16850A85DE49DF9262088267F1EDCF6BB4C2B23A6D68B0E5C5665790DD425639falsetrue 11241100x80000000000000005504491Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:31.030{4DF467A6-3F48-6132-1000-00000000F001}8C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-09-03 15:29:12.185 23542300x80000000000000005504490Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:31.030{4DF467A6-3F48-6132-1000-00000000F001}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ED4FA4A095B69F8FD5B63D3458FC7954,SHA256=520706C5411E45E104DBA8C24607CFD6EBD2E77896632BF4DA35086694685BACfalsetrue 11241100x80000000000000005504502Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:32.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504501Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:32.957{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A33629DDB3090E3A994F5E450806B14,SHA256=3B3DD3B66978E36C277B8D1BAA1D9841125BDFD458063F7774E6907DDD8999BFfalsetrue 10341000x80000000000000001551927Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.929{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1318-6139-CDD0-00000000F101}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551926Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.929{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551925Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.929{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551924Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.929{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551923Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.929{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551922Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.929{AEE49BD1-4159-6132-0500-00000000F101}412992C:\Windows\system32\csrss.exe{AEE49BD1-1318-6139-CDD0-00000000F101}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551921Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.929{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1318-6139-CDD0-00000000F101}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551920Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.914{AEE49BD1-1318-6139-CDD0-00000000F101}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001551919Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.514{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7AC871130FFBF2FC36E5FFFC379EA72,SHA256=D9E7E19D6ED6C3BF0D38B50D8E1C3F6075DB9D52274245E8653A7512E6411724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551918Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.344{AEE49BD1-1318-6139-CCD0-00000000F101}36123772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551917Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.229{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CD485E49FE903B2E762F4A8AC7B575,SHA256=ACB37C68585A90A231CE27BBA35CC0CBEBEA75361630D327C8CD5B16A4AE3789,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551916Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.229{AEE49BD1-41F0-6132-A700-00000000F101}37643780C:\Windows\system32\conhost.exe{AEE49BD1-1318-6139-CCD0-00000000F101}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551915Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.229{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551914Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.229{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551913Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.229{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551912Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.229{AEE49BD1-415A-6132-0C00-00000000F101}724632C:\Windows\system32\svchost.exe{AEE49BD1-415B-6132-1D00-00000000F101}1860C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551911Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.229{AEE49BD1-4159-6132-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AEE49BD1-1318-6139-CCD0-00000000F101}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551910Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.229{AEE49BD1-41F0-6132-A300-00000000F101}33843556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AEE49BD1-1318-6139-CCD0-00000000F101}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551909Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:32.214{AEE49BD1-1318-6139-CCD0-00000000F101}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AEE49BD1-4159-6132-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005504507Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:33.967{4DF467A6-D93F-6137-8AAF-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-03 15:28:51.675 23542300x80000000000000005504506Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:33.967{4DF467A6-D93F-6137-8AAF-00000000F001}5720NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F3614F1F269810024E9C251522B1FB,SHA256=EB418B4700B067019E90ADAD882379C1D65D3B4CB1CE91B19CA406688F6B41A3falsetrue 23542300x80000000000000005504505Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:33.491{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\respondent-20210903152930-7271MD5=D5C12E9FDEBBD8E533704D2E58EE3480,SHA256=4ED8772621488579B9B018F26FDB8AA0735C4021DC0D3F8DD4987BBDBB83A483falsetrue 11241100x80000000000000005504504Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:33.490{4DF467A6-3F59-6132-4300-00000000F001}3604C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\respondent-20210903152930-72712021-09-08 19:46:33.490 11241100x80000000000000005504503Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:33.489{4DF467A6-3F58-6132-2900-00000000F001}2880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\tmp\surveyor-20210903152928-72722021-09-08 19:46:33.489 23542300x80000000000000001551930Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:33.915{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C2AB8A3D2D0F53BA300817716F9409D,SHA256=5DEC4006F83A3AB9FAAA7F85E60D26BE602529FEF21627E041C74703458E57FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001551929Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:33.261{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE7820CD50B29C63B6675F5D639824A,SHA256=241A7D9272EBA71D044B5ACAB468DAF45A1554A00E421F6B76626D4665CB29AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551928Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:33.060{AEE49BD1-1318-6139-CDD0-00000000F101}55605108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AEE49BD1-41F0-6132-A300-00000000F101}3384C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551931Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:34.316{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D532907225262543C23FB46E140155A8,SHA256=373A06C8344AFB0F3D1205D85705A4041D75032638FFA5843F624C54F632AEE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000005504508Microsoft-Windows-Sysmon/Operationalwin-dc-291.attackrange.local-2021-09-08 19:46:34.499{4DF467A6-3F58-6132-2900-00000000F001}2880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08abff9d3d51eca27\channels\health\surveyor-20210903152928-7272MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x80000000000000001551932Microsoft-Windows-Sysmon/Operationalwin-host-296.attackrange.local-2021-09-08 19:46:35.318{AEE49BD1-41FD-6132-DA00-00000000F101}3924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF149E59760200989974BE96A91271A3,SHA256=0FCAF1E83556B281C89173F7A14643F266B16E1502007B97CEE1057AA80C6FA5,IMPHASH=00000000000000000000000000000000falsetrue